feat: LDAP-Test zeigt klickbare Filter-Vorschläge (UCS/AD-Erkennung)

Nach erfolgreichem Verbindungstest werden passende Filter-Vorschläge
angezeigt. Erkennt automatisch Univention UCS (posixAccount) vs.
Active Directory (sAMAccountName). Klick übernimmt den Filter direkt
ins Formular. Vorschläge berücksichtigen mailPrimaryAddress (UCS).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/ldapauth/client.go

@@ -31,15 +31,24 @@ type LDAPUser struct {
 	Mail        string `json:"mail"`
 }
 
+// FilterSuggestion is a clickable filter preset shown after a successful test.
+type FilterSuggestion struct {
+	Label       string `json:"label"`
+	Filter      string `json:"filter"`
+	Description string `json:"description"`
+}
+
 // TestResult is the structured output of TestConnection.
 type TestResult struct {
-	OK          bool       `json:"ok"`
+	OK                bool               `json:"ok"`
-	Message     string     `json:"message"`
+	Message           string             `json:"message"`
-	LatencyMS   int64      `json:"latency_ms"`
+	LatencyMS         int64              `json:"latency_ms"`
-	ServerInfo  string     `json:"server_info"`
+	ServerInfo        string             `json:"server_info"`
-	UsersFound  int        `json:"users_found"`
+	UsersFound        int                `json:"users_found"`
-	Users       []LDAPUser `json:"users"`
+	Users             []LDAPUser         `json:"users"`
-	ErrorDetail string     `json:"error_detail"`
+	ObjectClasses     []string           `json:"object_classes"`
+	FilterSuggestions []FilterSuggestion `json:"filter_suggestions"`
+	ErrorDetail       string             `json:"error_detail"`
 }
 
 // TestConnection opens a connection to the LDAP server, binds with the service
@@ -72,15 +81,17 @@ func TestConnection(cfg Config) TestResult {
 	serverInfo := queryRootDSE(conn)
 
 	// Fetch user objects (capped at 500 for count, 50 for preview list)
-	usersFound, users := listUsers(conn, cfg.BaseDN)
+	usersFound, users, objectClasses := listUsers(conn, cfg.BaseDN)
 
 	return TestResult{
-		OK:         true,
+		OK:                true,
-		Message:    "Verbindung erfolgreich",
+		Message:           "Verbindung erfolgreich",
-		LatencyMS:  time.Since(start).Milliseconds(),
+		LatencyMS:         time.Since(start).Milliseconds(),
-		ServerInfo: serverInfo,
+		ServerInfo:        serverInfo,
-		UsersFound: usersFound,
+		UsersFound:        usersFound,
-		Users:      users,
+		Users:             users,
+		ObjectClasses:     objectClasses,
+		FilterSuggestions: generateFilterSuggestions(objectClasses, users),
 	}
 }
 
@@ -250,22 +261,33 @@ func FetchUsers(cfg Config) ([]LDAPUser, error) {
 	return users, nil
 }
 
-// listUsers searches for person/user objects and returns the total count (max 500)
+// listUsers searches for person/user objects and returns the total count (max 500),
-// plus a preview slice of up to 50 entries. Supports both AD (mail) and
+// a preview slice of up to 50 entries, and the distinct objectClass values found.
-// Univention UCS (mailPrimaryAddress) mail attributes.
+func listUsers(conn *ldapv3.Conn, baseDN string) (int, []LDAPUser, []string) {
-func listUsers(conn *ldapv3.Conn, baseDN string) (int, []LDAPUser) {
 	req := ldapv3.NewSearchRequest(
 		baseDN,
 		ldapv3.ScopeWholeSubtree,
 		ldapv3.NeverDerefAliases,
 		500, 30, false,
 		"(|(objectClass=person)(objectClass=user)(objectClass=inetOrgPerson))",
-		[]string{"dn", "uid", "cn", "displayName", "mail", "mailPrimaryAddress"},
+		[]string{"dn", "uid", "cn", "displayName", "mail", "mailPrimaryAddress", "objectClass", "sAMAccountName"},
 		nil,
 	)
 	res, err := conn.Search(req)
 	if err != nil {
-		return 0, nil
+		return 0, nil, nil
+	}
+
+	// Collect distinct objectClass values across all entries.
+	ocSet := map[string]struct{}{}
+	for _, e := range res.Entries {
+		for _, oc := range e.GetAttributeValues("objectClass") {
+			ocSet[oc] = struct{}{}
+		}
+	}
+	objectClasses := make([]string, 0, len(ocSet))
+	for oc := range ocSet {
+		objectClasses = append(objectClasses, oc)
 	}
 
 	preview := make([]LDAPUser, 0, min(50, len(res.Entries)))
@@ -281,13 +303,99 @@ func listUsers(conn *ldapv3.Conn, baseDN string) (int, []LDAPUser) {
 		if displayName == "" {
 			displayName = e.GetAttributeValue("cn")
 		}
+		uid := e.GetAttributeValue("uid")
+		if uid == "" {
+			uid = e.GetAttributeValue("sAMAccountName")
+		}
 		preview = append(preview, LDAPUser{
 			DN:          e.DN,
-			UID:         e.GetAttributeValue("uid"),
+			UID:         uid,
 			DisplayName: displayName,
 			Mail:        mail,
 		})
 	}
-	return len(res.Entries), preview
+	return len(res.Entries), preview, objectClasses
+}
+
+// generateFilterSuggestions builds clickable filter presets based on the
+// objectClasses and user attributes found in the directory.
+func generateFilterSuggestions(objectClasses []string, users []LDAPUser) []FilterSuggestion {
+	ocSet := map[string]bool{}
+	for _, oc := range objectClasses {
+		ocSet[strings.ToLower(oc)] = true
+	}
+
+	hasMailPrimary := false
+	for _, u := range users {
+		if strings.Contains(u.Mail, "@") {
+			hasMailPrimary = true
+			break
+		}
+	}
+
+	isUCS := ocSet["posixaccount"] || ocSet["shadowaccount"]
+	isAD := ocSet["user"] && !isUCS
+
+	var s []FilterSuggestion
+
+	if isUCS {
+		s = append(s,
+			FilterSuggestion{
+				Label:       "UCS: Login per uid",
+				Filter:      "(uid=%s)",
+				Description: "Standard-Login-Filter für Univention UCS",
+			},
+		)
+		if hasMailPrimary {
+			s = append(s,
+				FilterSuggestion{
+					Label:       "UCS: Nur Benutzer mit Postfach",
+					Filter:      "(&(uid=%s)(mailPrimaryAddress=*))",
+					Description: "Nur UCS-Benutzer mit aktiviertem Postfach (mailPrimaryAddress)",
+				},
+			)
+		}
+		s = append(s,
+			FilterSuggestion{
+				Label:       "UCS: Personen ohne Systemkonten",
+				Filter:      "(&(uid=%s)(!(uid=*$)))",
+				Description: "Schließt Computerkonten (uid endet auf $) aus",
+			},
+		)
+	}
+
+	if isAD {
+		s = append(s,
+			FilterSuggestion{
+				Label:       "AD: Login per sAMAccountName",
+				Filter:      "(sAMAccountName=%s)",
+				Description: "Standard-Login-Filter für Active Directory",
+			},
+		)
+		s = append(s,
+			FilterSuggestion{
+				Label:       "AD: Nur Benutzer mit E-Mail",
+				Filter:      "(&(sAMAccountName=%s)(mail=*))",
+				Description: "AD-Benutzer mit gesetzter E-Mail-Adresse",
+			},
+		)
+		s = append(s,
+			FilterSuggestion{
+				Label:       "AD: Keine Computerkonten",
+				Filter:      "(&(sAMAccountName=%s)(!(objectClass=computer)))",
+				Description: "Schließt Computerkonten aus",
+			},
+		)
+	}
+
+	if !isUCS && !isAD {
+		s = append(s,
+			FilterSuggestion{Label: "uid", Filter: "(uid=%s)", Description: "Login per uid-Attribut"},
+			FilterSuggestion{Label: "sAMAccountName", Filter: "(sAMAccountName=%s)", Description: "Login per sAMAccountName (Active Directory)"},
+			FilterSuggestion{Label: "mail", Filter: "(mail=%s)", Description: "Login per E-Mail-Adresse"},
+		)
+	}
+
+	return s
 }
 

src/components/admin/tabs/LDAPTab.tsx

@@ -1,6 +1,6 @@
 "use client";
 
-import { type LDAPConfig, type LDAPTestResult } from "@/lib/api";
+import { type LDAPConfig, type LDAPTestResult, type LDAPFilterSuggestion } from "@/lib/api";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
@@ -303,6 +303,27 @@ export function LDAPTab({
                     </div>
                   </div>
                 )}
+                {ldapTestResult.ok && ldapTestResult.filter_suggestions?.length > 0 && (
+                  <div className="space-y-2 pt-1">
+                    <p className="text-xs font-medium text-muted-foreground">Filter-Vorschläge — klicken zum Übernehmen:</p>
+                    <div className="flex flex-wrap gap-2">
+                      {ldapTestResult.filter_suggestions.map((s: LDAPFilterSuggestion, i: number) => (
+                        <button
+                          key={i}
+                          type="button"
+                          title={s.description}
+                          onClick={() => setLdapForm((f) => ({ ...f, user_filter: s.filter }))}
+                          className="inline-flex items-center px-2 py-1 rounded text-xs border border-border bg-muted hover:bg-accent hover:text-accent-foreground transition-colors cursor-pointer font-mono"
+                        >
+                          {s.label}
+                        </button>
+                      ))}
+                    </div>
+                    <p className="text-xs text-muted-foreground">
+                      <span className="font-mono">%s</span> wird beim Login durch den Benutzernamen ersetzt
+                    </p>
+                  </div>
+                )}
               </CardContent>
             </Card>
           )}

src/components/admin/tabs/TenantLDAPTab.tsx

@@ -1,6 +1,6 @@
 "use client";
 
-import { type TenantLDAPConfig, type LDAPTestResult } from "@/lib/api";
+import { type TenantLDAPConfig, type LDAPTestResult, type LDAPFilterSuggestion } from "@/lib/api";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
@@ -314,6 +314,27 @@ export function TenantLDAPTab({
                     </div>
                   </div>
                 )}
+                {tenantLdapTestResult.ok && tenantLdapTestResult.filter_suggestions?.length > 0 && (
+                  <div className="space-y-2 pt-1">
+                    <p className="text-xs font-medium text-muted-foreground">Filter-Vorschläge — klicken zum Übernehmen:</p>
+                    <div className="flex flex-wrap gap-2">
+                      {tenantLdapTestResult.filter_suggestions.map((s: LDAPFilterSuggestion, i: number) => (
+                        <button
+                          key={i}
+                          type="button"
+                          title={s.description}
+                          onClick={() => setTenantLdapForm((f) => ({ ...f, user_filter: s.filter }))}
+                          className="inline-flex items-center px-2 py-1 rounded text-xs border border-border bg-muted hover:bg-accent hover:text-accent-foreground transition-colors cursor-pointer font-mono"
+                        >
+                          {s.label}
+                        </button>
+                      ))}
+                    </div>
+                    <p className="text-xs text-muted-foreground">
+                      <span className="font-mono">%s</span> wird beim Login durch den Benutzernamen ersetzt
+                    </p>
+                  </div>
+                )}
               </CardContent>
             </Card>
           )}

src/lib/api/index.ts

@@ -30,6 +30,7 @@ export type {
   LDAPConfig,
   LDAPTestUser,
   LDAPTestResult,
+  LDAPFilterSuggestion,
 } from "./ldap";
 export {
   getLDAPConfig,

src/lib/api/ldap.ts

@@ -30,6 +30,12 @@ export interface LDAPTestUser {
   mail: string;
 }
 
+export interface LDAPFilterSuggestion {
+  label: string;
+  filter: string;
+  description: string;
+}
+
 export interface LDAPTestResult {
   ok: boolean;
   message: string;
@@ -37,6 +43,8 @@ export interface LDAPTestResult {
   server_info: string;
   users_found: number;
   users: LDAPTestUser[];
+  object_classes: string[];
+  filter_suggestions: LDAPFilterSuggestion[];
   error_detail: string;
 }