From d1fc2bd6f6f759cef6b2ad35289e520d3a966a6e Mon Sep 17 00:00:00 2001
From: Jason O'Donnell <2160810+jasonodonnell@users.noreply.github.com>
Date: Wed, 27 Mar 2024 14:19:57 -0400
Subject: [PATCH] Add lower case user attribute keys configs

---
 ldap/client.go  |  6 +++++-
 ldap/config.go  |  5 +++++
 ldap/options.go | 31 ++++++++++++++++++++++---------
 3 files changed, 32 insertions(+), 10 deletions(-)

diff --git a/ldap/client.go b/ldap/client.go
index e559c46..d2211f4 100644
--- a/ldap/client.go
+++ b/ldap/client.go
@@ -273,7 +273,11 @@ func (c *Client) Authenticate(ctx context.Context, username, password string, op
 			return nil, fmt.Errorf("%s: failed to get user attributes: %w", op, err)
 		}
 		for _, a := range attrs {
-			userAttrs[strings.ToLower(a.Name)] = a.Vals
+			name := a.Name
+			if c.conf.LowerUserAttributeKeys || opts.withLowerUserAttributeKeys {
+				name = strings.ToLower(a.Name)
+			}
+			userAttrs[name] = a.Vals
 		}
 	}
 	if !opts.withGroups && !c.conf.IncludeUserGroups {
diff --git a/ldap/config.go b/ldap/config.go
index 97bddca..b09f830 100644
--- a/ldap/config.go
+++ b/ldap/config.go
@@ -200,6 +200,11 @@ type ClientConfig struct {
 	// AD (unicodePwd) will always be excluded.
 	ExcludedUserAttributes []string
 
+	// LowerUserAttributeKeys optionally specifies that the authenticating user's
+	// DN and attributes be included in AuthResult use lowercase key names rather
+	// than the default camel case.
+	LowerUserAttributeKeys bool
+
 	// IncludeUserGroups optionally specifies that the authenticating user's
 	// group membership be included an authentication AuthResult.
 	IncludeUserGroups bool
diff --git a/ldap/options.go b/ldap/options.go
index 7a2a79d..6ea4619 100644
--- a/ldap/options.go
+++ b/ldap/options.go
@@ -8,15 +8,16 @@ package ldap
 type Option func(interface{})
 
 type configOptions struct {
-	withURLs           []string
-	withInsecureTLS    bool
-	withTLSMinVersion  string
-	withTLSMaxVersion  string
-	withCertificates   []string
-	withClientTLSCert  string
-	withClientTLSKey   string
-	withGroups         bool
-	withUserAttributes bool
+	withURLs                   []string
+	withInsecureTLS            bool
+	withTLSMinVersion          string
+	withTLSMaxVersion          string
+	withCertificates           []string
+	withClientTLSCert          string
+	withClientTLSKey           string
+	withGroups                 bool
+	withUserAttributes         bool
+	withLowerUserAttributeKeys bool
 }
 
 func configDefaults() configOptions {
@@ -75,6 +76,18 @@ func WithUserAttributes() Option {
 	}
 }
 
+// WithLowerUserAttributeKeys returns a User Attribute map where the keys
+// are all cast to lower case. This is neccessary for some clients, such as Vault,
+// where user configured user attribute key names have always been stored lower case.
+func WithLowerUserAttributeKeys() Option {
+	return func(o interface{}) {
+		switch v := o.(type) {
+		case *configOptions:
+			v.withLowerUserAttributeKeys = true
+		}
+	}
+}
+
 func withTLSMinVersion(version string) Option {
 	return func(o interface{}) {
 		switch v := o.(type) {