Joomla: Add LDAP autocreate plugin support

- Introduced autocreate_users feature flag in config/main.yml - Added ldapautocreate.php and ldapautocreate.xml plugin files - Implemented tasks/01_ldap_files.yml for plugin deployment - Added tasks/05_ldap.yml to configure LDAP plugin and register ldapautocreate - Renamed tasks for better structure (01→02, 02→03, etc.) - Updated cli-ldap.php.j2 for clean parameter handling - Mounted ldapautocreate plugin via docker-compose.yml.j2 - Extended vars/main.yml with LDAP autocreate configuration Ref: https://chatgpt.com/share/68b0802f-bfd4-800f-b10a-57cf0c091f7e
2025-08-30 07:18:09 +02:00 · 2025-08-28 18:13:53 +02:00
parent 18f3b1042f
commit ef801aa498
15 changed files with 326 additions and 119 deletions
--- a/roles/web-app-joomla/config/main.yml
+++ b/roles/web-app-joomla/config/main.yml
@@ -1,3 +1,4 @@
 autocreate_users:     true # Autocreate LDAP users on Login
 features:
  matomo:             true
  css:                true
--- a/roles/web-app-joomla/files/ldapautocreate.php
+++ b/roles/web-app-joomla/files/ldapautocreate.php
@@ -0,0 +1,108 @@
 <?php
 /**
 * System plugin that auto-creates a Joomla user after successful LDAP authentication.
 * It reads the LDAP Auth plugin params from #__extensions (folder=authentication, element=ldap),
 * looks up cn/mail for the authenticated uid, and creates a local Joomla user if missing.
 */
 defined('_JEXEC') || die;
 use Joomla\CMS\Factory;
 use Joomla\CMS\Plugin\CMSPlugin;
 use Joomla\CMS\User\User;
 use Joomla\Database\DatabaseDriver;
 use Joomla\Authentication\Authentication;
 class PlgSystemLdapautocreate extends CMSPlugin
 {
    protected $app;
    /**
     * Runs after authentication handlers; fires for both frontend and backend.
     * @param array $options Contains 'username' and more after auth
     * @return void
     */
    public function onUserAfterAuthenticate($options, $response)
    {
        // Only proceed on success
        if (($response->status ?? null) !== Authentication::STATUS_SUCCESS) {
            return;
        }
        $username = $response->username ?? $options['username'] ?? null;
        if (!$username) {
            return;
        }
        /** @var DatabaseDriver $dbo */
        $dbo = Factory::getDbo();
        // If user already exists locally, nothing to do
        $exists = (int) $dbo->setQuery(
            $dbo->getQuery(true)
                ->select('COUNT(*)')
                ->from($dbo->quoteName('#__users'))
                ->where($dbo->quoteName('username') . ' = ' . $dbo->quote($username))
        )->loadResult();
        if ($exists) {
            return;
        }
        // Read LDAP Auth plugin params to connect (the ones we configured via cli-ldap.php)
        $ldapExt = $dbo->setQuery(
            $dbo->getQuery(true)
                ->select('*')
                ->from($dbo->quoteName('#__extensions'))
                ->where($dbo->quoteName('type') . " = 'plugin'")
                ->where($dbo->quoteName('folder') . " = 'authentication'")
                ->where($dbo->quoteName('element') . " = 'ldap'")
        )->loadObject();
        if (!$ldapExt) {
            return; // LDAP plugin not found; bail out silently
        }
        $p = json_decode($ldapExt->params ?: "{}", true) ?: [];
        $host   = $p['host'] ?? 'openldap';
        $port   = (int) ($p['port'] ?? 389);
        $baseDn = $p['base_dn'] ?? '';
        $bindDn = $p['username'] ?? '';
        $bindPw = $p['password'] ?? '';
        $attrUid = $p['ldap_uid'] ?? 'uid';
        $attrMail = $p['ldap_email'] ?? 'mail';
        $attrName = $p['ldap_fullname'] ?? 'cn';
        // Look up user in LDAP to fetch name/email
        $ds = @ldap_connect($host, $port);
        if (!$ds) { return; }
        ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
        @ldap_bind($ds, $bindDn, $bindPw);
        $filter = sprintf('(%s=%s)', $attrUid, ldap_escape($username, '', LDAP_ESCAPE_FILTER));
        $sr = @ldap_search($ds, $baseDn, $filter, [$attrName, $attrMail]);
        $entry = $sr ? @ldap_first_entry($ds, $sr) : null;
        $name  = $entry ? (@ldap_get_values($ds, $entry, $attrName)[0] ?? $username) : $username;
        $email = $entry ? (@ldap_get_values($ds, $entry, $attrMail)[0] ?? ($username.'@example.invalid')) : ($username.'@example.invalid');
        if ($ds) { @ldap_unbind($ds); }
        // Create Joomla user (Registered group id=2)
        $data = [
            'name'     => $name,
            'username' => $username,
            'email'    => $email,
            // Password is irrelevant for LDAP; set a random one
            'password' => bin2hex(random_bytes(12)),
            'block'    => 0,
            'groups'   => [2],
        ];
        $user = new User;
        if (!$user->bind($data)) {
            return;
        }
        $user->save();
    }
 }
--- a/roles/web-app-joomla/files/ldapautocreate.xml
+++ b/roles/web-app-joomla/files/ldapautocreate.xml
@@ -0,0 +1,10 @@
 <?xml version="1.0" encoding="utf-8"?>
 <extension type="plugin" group="system" method="upgrade" version="4.0">
  <name>plg_system_ldapautocreate</name>
  <author>Infinito.Nexus</author>
  <version>1.0.0</version>
  <description>Auto-create Joomla users after successful LDAP authentication.</description>
  <files>
    <filename plugin="ldapautocreate">ldapautocreate.php</filename>
  </files>
 </extension>
--- a/roles/web-app-joomla/tasks/01_ldap_files.yml
+++ b/roles/web-app-joomla/tasks/01_ldap_files.yml
@@ -0,0 +1,25 @@
 - name: "Render LDAP CLI helper"
  template:
    src: cli-ldap.php.j2
    dest: "{{ JOOMLA_LDAP_CONF_FILE }}"
    mode: "0644"
  when: JOOMLA_LDAP_ENABLED | bool
  notify: docker compose restart
 - block:
  - name: "Ensure ldapautocreate plugin hostdir exists"
    file:
      path: "{{ JOOMLA_LDAP_AUT_CRT_HOST_DIR }}"
      state: directory
      mode: "0755"
  - name: "Deploy ldapautocreate plugin files"
    copy:
      src: "ldapautocreate.{{ item }}"
      dest: "{{ [ JOOMLA_LDAP_AUT_CRT_HOST_DIR, 'ldapautocreate.' ~ item ] | path_join }}"
      mode: "0644"
    notify: docker compose restart
    loop:
      - php
      - xml
  when: JOOMLA_LDAP_AUTO_CREATE_ENABLED | bool
--- a/roles/web-app-joomla/tasks/02_install.yml
+++ b/roles/web-app-joomla/tasks/02_install.yml
--- a/roles/web-app-joomla/tasks/03_debug.yml
+++ b/roles/web-app-joomla/tasks/03_debug.yml
--- a/roles/web-app-joomla/tasks/04_ldap.yml
+++ b/roles/web-app-joomla/tasks/04_ldap.yml
@@ -1,9 +0,0 @@
 - name: "Configure LDAP plugin params via helper"
  command: >
    docker exec {{ JOOMLA_CONTAINER }}
    php cli/cli-ldap.php
  register: ldap_conf
  changed_when: "'configured' in ldap_conf.stdout | lower"
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll:  "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
  when: JOOMLA_LDAP_ENABLED | bool
--- a/roles/web-app-joomla/tasks/04_patch.yml
+++ b/roles/web-app-joomla/tasks/04_patch.yml
--- a/roles/web-app-joomla/tasks/05_ldap.yml
+++ b/roles/web-app-joomla/tasks/05_ldap.yml
@@ -0,0 +1,56 @@
 - name: "Configure LDAP plugin params via helper"
  command: >
    docker exec {{ JOOMLA_CONTAINER }}
    sh -c 'test -f /var/www/html/cli/cli-ldap.php && php /var/www/html/cli/cli-ldap.php'
  register: ldap_conf
  changed_when: "'configured' in ldap_conf.stdout | lower"
  async: "{{ ASYNC_TIME if ASYNC_ENABLED | bool else omit }}"
  poll: "{{ ASYNC_POLL if ASYNC_ENABLED | bool else omit }}"
  when: JOOMLA_LDAP_ENABLED | bool
 - name: "Register & enable ldapautocreate Joomla system plugin"
  command: >
    docker exec {{ JOOMLA_CONTAINER }}
    sh -lc '
      test -f /var/www/html/plugins/system/ldapautocreate/ldapautocreate.php ||
        { echo "ERROR: plugin file missing"; exit 1; };
      php -r "
      define(\"_JEXEC\",1);
      \$root=\"/var/www/html\";
      require \$root.\"/includes/defines.php\";
      require \$root.\"/includes/framework.php\";
      \$dbo = Joomla\\CMS\\Factory::getDbo();
      \$ext = \$dbo->setQuery(
        \"SELECT * FROM #__extensions WHERE type=\\\"plugin\\\" AND folder=\\\"system\\\" AND element=\\\"ldapautocreate\\\"\"
      )->loadObject();
      if (!\$ext) {
        \$row = (object)[
          \"name\" => \"plg_system_ldapautocreate\",
          \"type\" => \"plugin\",
          \"element\" => \"ldapautocreate\",
          \"folder\" => \"system\",
          \"enabled\" => 1,
          \"access\" => 1,
          \"protected\" => 0,
          \"manifest_cache\" => \"{}\",
          \"params\" => \"{}\",
          \"custom_data\" => \"{}\",
          \"state\" => 0,
          \"ordering\" => 0,
          \"client_id\" => 0
        ];
        \$dbo->insertObject(\"#__extensions\", \$row);
        echo \"Plugin registered + enabled\\n\";
      } else {
        \$ext->enabled = 1;
        \$dbo->updateObject(\"#__extensions\", \$ext, \"extension_id\");
        echo \"Plugin already exists, just enabled\\n\";
      }
      "
    '
  register: ldapautocreate_reg
  changed_when: >
    ('registered + enabled' in (ldapautocreate_reg.stdout | lower)) or
    ('just enabled' in (ldapautocreate_reg.stdout | lower))
  failed_when: ldapautocreate_reg.rc != 0
  when: JOOMLA_LDAP_AUTO_CREATE_ENABLED | bool
--- a/roles/web-app-joomla/tasks/06_assert.yml
+++ b/roles/web-app-joomla/tasks/06_assert.yml
--- a/roles/web-app-joomla/tasks/main.yml
+++ b/roles/web-app-joomla/tasks/main.yml
@@ -1,12 +1,12 @@
 ---
- name: "Include role srv-domain-provision for {{ application_id }}"
+#- name: "Include role srv-domain-provision for {{ application_id }}"
-  include_role:
+#  include_role:
-    name: srv-domain-provision
+#    name: srv-domain-provision
-  loop: "{{ JOOMLA_DOMAINS }}"
+#  loop: "{{ JOOMLA_DOMAINS }}"
-  loop_control:
+#  loop_control:
-    loop_var: domain
+#    loop_var: domain
-  vars:
+#  vars:
-    http_port: "{{ ports.localhost.http[application_id] }}"
+#    http_port: "{{ ports.localhost.http[application_id] }}"
 - name: "load docker and db for {{ application_id }}"
  include_role: 
@@ -14,12 +14,8 @@
  vars:
    docker_compose_flush_handlers: false
- name: "Render LDAP CLI helper"
+- name: Include install routines
-  template:
+  include_tasks: "01_ldap_files.yml"
    src: cli-ldap.php.j2
    dest: "{{ JOOMLA_LDAP_CONF_FILE }}"
    mode: "0644"
  when: JOOMLA_LDAP_ENABLED | bool
 - name: "flush docker compose handlers"
  meta: flush_handlers
@@ -27,8 +23,8 @@
 - name: Include install routines
  include_tasks: "{{ item }}"
  loop:
-    - 01_install.yml
+    - 02_install.yml
-    - 02_debug.yml
+    - 03_debug.yml
-    - 03_patch.yml
+    - 04_patch.yml
-    - 04_ldap.yml
+    - 05_ldap.yml
-    - 05_assert.yml
+    - 06_assert.yml
--- a/roles/web-app-joomla/templates/cli-ldap.php.j2
+++ b/roles/web-app-joomla/templates/cli-ldap.php.j2
@@ -1,15 +1,18 @@
 <?php
-// Tiny Joomla CLI to enable + configure Authentication - LDAP plugin.
+// Joomla CLI script to enable and configure the Authentication - LDAP plugin.
-// Safe to run multiple times.
+// Safe to run multiple times. Uses only Factory::getDbo() (no web/administrator app context required).
 define('_JEXEC', 1);
-if (PHP_SAPI !== 'cli') { fwrite(STDERR, "CLI only\n"); exit(1); }
+define('JPATH_BASE', __DIR__ . '/..');
-$root = __DIR__ . '/..';
+// Load Joomla framework
-require $root . '/includes/defines.php';
+require JPATH_BASE . '/includes/defines.php';
-require $root . '/includes/framework.php';
+require JPATH_BASE . '/includes/framework.php';
-$app = \Joomla\CMS\Factory::getApplication('administrator');
+use Joomla\CMS\Factory;
-$dbo = \Joomla\CMS\Factory::getDbo();
+
 // Database driver from Factory
 $dbo = Factory::getDbo();
 // Locate the LDAP plugin row in #__extensions
 $query = $dbo->getQuery(true)
@@ -21,34 +24,45 @@ $query = $dbo->getQuery(true)
 $dbo->setQuery($query);
 $ext = $dbo->loadObject();
-if (!$ext) { fwrite(STDERR, "LDAP plugin not found.\n"); exit(2); }
+if (!$ext) {
    fwrite(STDERR, "LDAP plugin not found.\n");
    exit(2);
 }
-// Merge desired params
+// Helper to strip quotes if present in env-file values
 $get = static fn($k) => preg_replace('/^(["\'])(.*)\1$/', '$2', getenv($k) ?: '');
 // Desired plugin parameters (must match Joomla LDAP plugin schema)
 $desired = [
-  "host"                => getenv('JOOMLA_LDAP_HOST'),
+    // Connection settings
-  "port"                => (int) getenv('JOOMLA_LDAP_PORT'),
+    "host"          => $get('JOOMLA_LDAP_HOST'),
-  "basedn"              => getenv('JOOMLA_LDAP_BASE_DN'),
+    "port"          => (int) $get('JOOMLA_LDAP_PORT'),
-  "userbasedn"          => getenv('JOOMLA_LDAP_USER_TREE_DN'),
+    "use_ldapV3"    => true,
-  "groupbasedn"         => getenv('JOOMLA_LDAP_GROUP_TREE_DN'),
+    "negotiate_tls" => (bool) $get('JOOMLA_LDAP_USE_STARTTLS'),
-  "authmethod"          => getenv('JOOMLA_LDAP_AUTH_METHOD'),        // "bind" or "search"
+    "no_referrals"  => false,
-  "searchstring"        => getenv('JOOMLA_LDAP_USER_SEARCH_STRING'),
+
-  "username"            => getenv('JOOMLA_LDAP_BIND_DN'),
+    // Authentication settings
-  "password"            => getenv('JOOMLA_LDAP_BIND_PASSWORD'),
+    "auth_method"   => $get('JOOMLA_LDAP_AUTH_METHOD') ?: "search", // "search" or "bind"
-  "uid"                 => getenv('JOOMLA_LDAP_UID_ATTR'),
+    "base_dn"       => $get('JOOMLA_LDAP_BASE_DN'),
-  "email"               => getenv('JOOMLA_LDAP_EMAIL_ATTR'),
+    "search_string" => $get('JOOMLA_LDAP_USER_SEARCH_STRING'),      // e.g. uid=[username]
-  "fullname"            => getenv('JOOMLA_LDAP_NAME_ATTR'),
+    "users_dn"      => $get('JOOMLA_LDAP_USER_TREE_DN'),            // required for "bind" mode
-  "starttls"            => (bool) getenv('JOOMLA_LDAP_USE_STARTTLS'),
+    "username"      => $get('JOOMLA_LDAP_BIND_DN'),
-  "ignore_reqcert"      => (bool) getenv('JOOMLA_LDAP_IGNORE_CERT'),
+    "password"      => $get('JOOMLA_LDAP_BIND_PASSWORD'),
-  "mapfullname"         => (bool) getenv('JOOMLA_LDAP_MAP_FULLNAME'),
+
-  "mapemail"            => (bool) getenv('JOOMLA_LDAP_MAP_EMAIL'),
+    // Attribute mapping
    "ldap_uid"      => $get('JOOMLA_LDAP_UID_ATTR')   ?: "uid",
    "ldap_email"    => $get('JOOMLA_LDAP_EMAIL_ATTR') ?: "mail",
    "ldap_fullname" => $get('JOOMLA_LDAP_NAME_ATTR')  ?: "cn",
 ];
 // Merge current parameters with desired values
 $current = json_decode($ext->params ?: "{}", true) ?: [];
-$merged  = array_replace($current, array_filter($desired, fn($v) => $v !== null && $v !== ''));
+$clean   = array_filter($desired, static fn($v) => $v !== null && $v !== '');
 $merged  = array_replace($current, $clean);
 // Save back to database and enable the plugin
 $ext->params  = json_encode($merged, JSON_UNESCAPED_SLASHES);
-$ext->enabled = {{ JOOMLA_LDAP_ENABLED | ternary(1, 0) }};
+$ext->enabled = 1;
 $dbo->updateObject('#__extensions', $ext, 'extension_id');
-echo "LDAP plugin enabled=". $ext->enabled . " and configured.\n";
+echo "LDAP plugin enabled={$ext->enabled} and configured.\n";
--- a/roles/web-app-joomla/templates/docker-compose.yml.j2
+++ b/roles/web-app-joomla/templates/docker-compose.yml.j2
@@ -11,6 +11,9 @@
      - data:/var/www/html
 {% if JOOMLA_LDAP_ENABLED %}
      - {{ JOOMLA_LDAP_CONF_FILE }}:/var/www/html/cli/cli-ldap.php:ro
 {% if JOOMLA_LDAP_AUTO_CREATE_ENABLED | bool %}
      - {{ JOOMLA_LDAP_AUT_CRT_HOST_DIR }}:{{ JOOMLA_LDAP_AUT_CRT_DOCK_DIR }}:ro
 {% endif %}
 {% endif %}
    ports:
      - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
--- a/roles/web-app-joomla/templates/env.j2
+++ b/roles/web-app-joomla/templates/env.j2
@@ -6,29 +6,29 @@ JOOMLA_ADMIN_EMAIL={{ JOOMLA_USER_EMAIL }}
 {% if database_type == 'mariadb' %}
 # Database
-JOOMLA_DB_HOST="{{ database_host }}:{{ database_port }}"
+JOOMLA_DB_HOST={{ database_host }}:{{ database_port }}
-JOOMLA_DB_USER="{{ database_username }}"
+JOOMLA_DB_USER={{ database_username }}
-JOOMLA_DB_PASSWORD="{{ database_password }}"
+JOOMLA_DB_PASSWORD={{ database_password }}
-JOOMLA_DB_NAME="{{ database_name }}"
+JOOMLA_DB_NAME={{ database_name }}
-JOOMLA_DB_TYPE="{{ JOOMLA_DB_CONNECTOR }}"
+JOOMLA_DB_TYPE={{ JOOMLA_DB_CONNECTOR }}
 {% endif %}
 {% if JOOMLA_LDAP_ENABLED %}
 # LDAP
-JOOMLA_LDAP_HOST="{{ JOOMLA_LDAP_HOST }}"
+JOOMLA_LDAP_HOST={{ JOOMLA_LDAP_HOST }}
-JOOMLA_LDAP_PORT="{{ JOOMLA_LDAP_PORT }}"
+JOOMLA_LDAP_PORT={{ JOOMLA_LDAP_PORT }}
-JOOMLA_LDAP_BASE_DN="{{ JOOMLA_LDAP_BASE_DN }}"
+JOOMLA_LDAP_BASE_DN={{ JOOMLA_LDAP_BASE_DN }}
-JOOMLA_LDAP_USER_TREE_DN="{{ JOOMLA_LDAP_USER_TREE_DN }}"
+JOOMLA_LDAP_USER_TREE_DN={{ JOOMLA_LDAP_USER_TREE_DN }}
-JOOMLA_LDAP_GROUP_TREE_DN="{{ JOOMLA_LDAP_GROUP_TREE_DN }}"
+JOOMLA_LDAP_GROUP_TREE_DN={{ JOOMLA_LDAP_GROUP_TREE_DN }}
-JOOMLA_LDAP_UID_ATTR="{{ JOOMLA_LDAP_UID_ATTR }}"
+JOOMLA_LDAP_UID_ATTR={{ JOOMLA_LDAP_UID_ATTR }}
-JOOMLA_LDAP_EMAIL_ATTR="{{ JOOMLA_LDAP_EMAIL_ATTR }}"
+JOOMLA_LDAP_EMAIL_ATTR={{ JOOMLA_LDAP_EMAIL_ATTR }}
-JOOMLA_LDAP_NAME_ATTR="{{ JOOMLA_LDAP_NAME_ATTR }}"
+JOOMLA_LDAP_NAME_ATTR={{ JOOMLA_LDAP_NAME_ATTR }}
-JOOMLA_LDAP_BIND_DN="{{ JOOMLA_LDAP_BIND_DN }}"
+JOOMLA_LDAP_BIND_DN={{ JOOMLA_LDAP_BIND_DN }}
-JOOMLA_LDAP_BIND_PASSWORD="{{ JOOMLA_LDAP_BIND_PASSWORD }}"
+JOOMLA_LDAP_BIND_PASSWORD={{ JOOMLA_LDAP_BIND_PASSWORD }}
-JOOMLA_LDAP_USE_STARTTLS="{{ JOOMLA_LDAP_USE_STARTTLS | ternary('1','') }}"
+JOOMLA_LDAP_USE_STARTTLS={{ JOOMLA_LDAP_USE_STARTTLS | ternary('1','') }}
-JOOMLA_LDAP_IGNORE_CERT="{{ JOOMLA_LDAP_IGNORE_CERT | ternary('1','') }}"
+JOOMLA_LDAP_IGNORE_CERT={{ JOOMLA_LDAP_IGNORE_CERT | ternary('1','') }}
-JOOMLA_LDAP_MAP_FULLNAME="{{ JOOMLA_LDAP_MAP_FULLNAME | ternary('1','') }}"
+JOOMLA_LDAP_MAP_FULLNAME={{ JOOMLA_LDAP_MAP_FULLNAME | ternary('1','') }}
-JOOMLA_LDAP_MAP_EMAIL="{{ JOOMLA_LDAP_MAP_EMAIL | ternary('1','') }}"
+JOOMLA_LDAP_MAP_EMAIL={{ JOOMLA_LDAP_MAP_EMAIL | ternary('1','') }}
-JOOMLA_LDAP_AUTH_METHOD="{{ JOOMLA_LDAP_AUTH_METHOD }}"
+JOOMLA_LDAP_AUTH_METHOD={{ JOOMLA_LDAP_AUTH_METHOD }}
-JOOMLA_LDAP_USER_SEARCH_STRING="{{ JOOMLA_LDAP_USER_SEARCH_STRING }}"
+JOOMLA_LDAP_USER_SEARCH_STRING={{ JOOMLA_LDAP_USER_SEARCH_STRING }}
 {% endif %}
--- a/roles/web-app-joomla/vars/main.yml
+++ b/roles/web-app-joomla/vars/main.yml
@@ -23,6 +23,7 @@ JOOMLA_USER_EMAIL:              "{{ users.administrator.email }}"
 # LDAP
 JOOMLA_LDAP_CONF_FILE:            "{{ [ docker_compose.directories.volumes, 'cli-ldap.php' ] | path_join }}"
 JOOMLA_LDAP_ENABLED:              "{{ applications | get_app_conf(application_id, 'features.ldap') }}"
 JOOMLA_LDAP_AUTO_CREATE_ENABLED:  "{{ applications | get_app_conf(application_id, 'autocreate_users') }}"
 JOOMLA_LDAP_HOST:                 "{{ LDAP.SERVER.DOMAIN }}"
 JOOMLA_LDAP_PORT:                 "{{ LDAP.SERVER.PORT }}"
 JOOMLA_LDAP_BASE_DN:              "{{ LDAP.DN.ROOT }}"
@@ -38,4 +39,6 @@ JOOMLA_LDAP_IGNORE_CERT:        true
 JOOMLA_LDAP_MAP_FULLNAME:         true
 JOOMLA_LDAP_MAP_EMAIL:            true
 JOOMLA_LDAP_AUTH_METHOD:          "search"     # "bind" or "search"
-JOOMLA_LDAP_USER_SEARCH_STRING: "{{ JOOMLA_LDAP_UID_ATTR }}=[username],{{ JOOMLA_LDAP_USER_TREE_DN }}"
+JOOMLA_LDAP_USER_SEARCH_STRING:   "{{ JOOMLA_LDAP_UID_ATTR }}=[username]"
 JOOMLA_LDAP_AUT_CRT_HOST_DIR:     "{{ [ docker_compose.directories.volumes, 'ldapautocreate' ] | path_join }}"
 JOOMLA_LDAP_AUT_CRT_DOCK_DIR:     "/var/www/html/plugins/system/ldapautocreate"