allow to log raw LDAP user data (#571)

docs/documentation/configuration/overview.md

@@ -745,6 +745,10 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`:
   (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
   ```
 
+#### `sync_log_user_info`
+- **Default:** `false`
+- **Description:** If `true`, logs LDAP user data at the trace level during synchronization.
+
 #### `disable_missing`
 - **Default:** `false`
 - **Description:** If `true`, any user **not** found in LDAP (during sync) is disabled in WireGuard Portal.

internal/app/users/user_manager.go

@@ -551,6 +551,12 @@ func (m Manager) updateLdapUsers(
 			return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
 		}
 
+		if provider.SyncLogUserInfo {
+			slog.Debug("ldap user data",
+				"raw-user", rawUser, "user", user.Identifier,
+				"is-admin", user.IsAdmin, "provider", provider.ProviderName)
+		}
+
 		existingUser, err := m.users.GetUser(ctx, user.Identifier)
 		if err != nil && !errors.Is(err, domain.ErrNotFound) {
 			return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)

internal/config/auth.go

@@ -168,6 +168,8 @@ type LdapProvider struct {
 	SyncFilter string `yaml:"sync_filter"`
 	// SyncInterval is the interval between consecutive LDAP user syncs. If it is 0, sync is disabled.
 	SyncInterval time.Duration `yaml:"sync_interval"`
+	// If SyncLogUserInfo is set to true, the user info retrieved from the LDAP provider during a sync-run will be logged in trace level.
+	SyncLogUserInfo bool `yaml:"sync_log_user_info"`
 
 	// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
 	RegistrationEnabled bool `yaml:"registration_enabled"`