Makefile

@@ -1,8 +1,5 @@
-build: clean generate
-	CGO_ENABLED=0 misc/script/build
-
-generate:
-	go generate ./...
+build: clean
+	misc/script/build
 
 clean:
 	rm -rf bin

internal/identp/identp.go

@@ -171,7 +171,7 @@ func newLoginEndHandler(ra oa2LoginReqAcceptor, auther authenticator, tmplRender
 		data := LoginTmplData{
 			CSRFToken: nosurf.Token(r),
 			Challenge: challenge,
-			LoginURL:  strings.TrimPrefix(r.URL.String(), "/"),
+			LoginURL:  r.URL.String(),
 		}
 
 		username, password := r.Form.Get("username"), r.Form.Get("password")

internal/ldapclient/ldapclient.go

@@ -193,7 +193,7 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) (map[str
 		return nil, err
 	}
 
-	roles := make([]map[string]interface{}, 0)
+	roles := make(map[string]interface{})
 	for _, entry := range entries {
 		roleDN, ok := entry["dn"].(string)
 		if !ok || roleDN == "" {
@@ -211,8 +211,21 @@ func (cli *Client) FindOIDCClaims(ctx context.Context, username string) (map[str
 		if n < k || !strings.EqualFold(roleDN[n-k:], cli.RoleBaseDN) {
 			panic("You should never see that")
 		}
+		// The DN without the role's base DN must contain a CN and OU
+		// where the CN is for uniqueness only, and the OU is an application id.
+		path := strings.Split(roleDN[:n-k-1], ",")
+		if len(path) != 2 {
+			log.Infow("A role's DN without the role's base DN must contain two nodes only",
+				"roleBaseDN", cli.RoleBaseDN, "roleDN", roleDN)
+			continue
+		}
+		appID := path[1][len("OU="):]
 
-		roles = append(roles, entry)
+		var appRoles []interface{}
+		if v := roles[appID]; v != nil {
+			appRoles = v.([]interface{})
+		}
+		roles[appID] = append(appRoles, entry[cli.RoleAttr])
 	}
 	claims[cli.RoleClaim] = roles