Reisacher-Forderung/app/auth.py

import os
from typing import Optional

from ldap3 import ALL, NTLM, Connection, Server


def ldap_authenticate(username: str, password: str) -> Optional[dict]:
    ldap_url = os.environ.get("LDAP_URL")
    ldap_user_dn = os.environ.get("LDAP_USER_DN")
    ldap_base = os.environ.get("LDAP_BASE_DN")
    if not ldap_url:
        # Fallback mock for local development: accept any user with password 'password'
        if password == "password":
            return {"username": username, "groups": ["local"]}
        return None

    try:
        server = Server(ldap_url, get_info=ALL)
        conn = Connection(server, user=username, password=password, auto_bind=True)
        # Simple success -> return username; group resolution left for future
        return {"username": username, "groups": []}
    except Exception:
        return None