From d759fc7dc7df0143b6f5dbd373c20b17bf23ec06 Mon Sep 17 00:00:00 2001
From: Christoph <christoph.h@sprinternet.at>
Date: Wed, 19 Nov 2025 16:00:11 +0100
Subject: [PATCH] allow to log raw LDAP user data (#571)

---
 docs/documentation/configuration/overview.md | 4 ++++
 internal/app/users/user_manager.go           | 6 ++++++
 internal/config/auth.go                      | 2 ++
 3 files changed, 12 insertions(+)

diff --git a/docs/documentation/configuration/overview.md b/docs/documentation/configuration/overview.md
index e55a5d3..cad0040 100644
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -745,6 +745,10 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`:
   (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
   ```
 
+#### `sync_log_user_info`
+- **Default:** `false`
+- **Description:** If `true`, logs LDAP user data at the trace level during synchronization.
+
 #### `disable_missing`
 - **Default:** `false`
 - **Description:** If `true`, any user **not** found in LDAP (during sync) is disabled in WireGuard Portal.
diff --git a/internal/app/users/user_manager.go b/internal/app/users/user_manager.go
index 11e8ac8..e15f8b4 100644
--- a/internal/app/users/user_manager.go
+++ b/internal/app/users/user_manager.go
@@ -551,6 +551,12 @@ func (m Manager) updateLdapUsers(
 			return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
 		}
 
+		if provider.SyncLogUserInfo {
+			slog.Debug("ldap user data",
+				"raw-user", rawUser, "user", user.Identifier,
+				"is-admin", user.IsAdmin, "provider", provider.ProviderName)
+		}
+
 		existingUser, err := m.users.GetUser(ctx, user.Identifier)
 		if err != nil && !errors.Is(err, domain.ErrNotFound) {
 			return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
diff --git a/internal/config/auth.go b/internal/config/auth.go
index 6f3892b..34dfec6 100644
--- a/internal/config/auth.go
+++ b/internal/config/auth.go
@@ -168,6 +168,8 @@ type LdapProvider struct {
 	SyncFilter string `yaml:"sync_filter"`
 	// SyncInterval is the interval between consecutive LDAP user syncs. If it is 0, sync is disabled.
 	SyncInterval time.Duration `yaml:"sync_interval"`
+	// If SyncLogUserInfo is set to true, the user info retrieved from the LDAP provider during a sync-run will be logged in trace level.
+	SyncLogUserInfo bool `yaml:"sync_log_user_info"`
 
 	// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
 	RegistrationEnabled bool `yaml:"registration_enabled"`