Merge pull request #1572 from Salman2301/feat-secret-input-autocomplete

Secret input auto complete

.github/workflows/build-patroni-docker-img.yml

@@ -0,0 +1,38 @@
+name: Build patroni 
+on: [workflow_dispatch]
+
+jobs:
+  patroni-image:
+    name: Build patroni
+    runs-on: ubuntu-latest
+    steps:
+      - name: ☁️ Checkout source
+        uses: actions/checkout@v3
+        with:
+          repository: 'zalando/patroni'
+      - name: Save commit hashes for tag
+        id: commit
+        uses: pr-mpt/actions-commit-hash@v2
+      - name: 🔧 Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: 🐋 Login to Docker Hub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Set up Depot CLI
+        uses: depot/setup-action@v1
+      - name: 🏗️ Build backend and push to docker hub
+        uses: depot/build-push-action@v1
+        with:
+          project: 64mmf0n610
+          token: ${{ secrets.DEPOT_PROJECT_TOKEN }}
+          push: true
+          context: .
+          file: Dockerfile
+          tags: |
+            infisical/patroni:${{ steps.commit.outputs.short }}
+            infisical/patroni:latest
+          platforms: linux/amd64,linux/arm64
+    
+  

.github/workflows/release_build_infisical_cli.yml

@@ -1,6 +1,8 @@
 name: Build and release CLI
 
 on:
+    workflow_dispatch:
+
     push:
         # run only against tags
         tags:
@@ -14,6 +16,12 @@ jobs:
     cli-integration-tests:
         name: Run tests before deployment
         uses: ./.github/workflows/run-cli-tests.yml
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID: ${{ secrets.CLI_TESTS_UA_CLIENT_ID }}
+            CLI_TESTS_UA_CLIENT_SECRET: ${{ secrets.CLI_TESTS_UA_CLIENT_SECRET }}
+            CLI_TESTS_SERVICE_TOKEN: ${{ secrets.CLI_TESTS_SERVICE_TOKEN }}
+            CLI_TESTS_PROJECT_ID: ${{ secrets.CLI_TESTS_PROJECT_ID }}
+            CLI_TESTS_ENV_SLUG: ${{ secrets.CLI_TESTS_ENV_SLUG }}
 
     goreleaser:
         runs-on: ubuntu-20.04

.github/workflows/run-cli-tests.yml

@@ -6,7 +6,20 @@ on:
         paths:
             - "cli/**"
 
+    workflow_dispatch:
+
     workflow_call:
+        secrets:
+            CLI_TESTS_UA_CLIENT_ID:
+                required: true
+            CLI_TESTS_UA_CLIENT_SECRET:
+                required: true
+            CLI_TESTS_SERVICE_TOKEN:
+                required: true
+            CLI_TESTS_PROJECT_ID:
+                required: true
+            CLI_TESTS_ENV_SLUG:
+                required: true
 
 jobs:
     test:

README.md

@@ -76,7 +76,7 @@ Check out the [Quickstart Guides](https://infisical.com/docs/getting-started/int
 
 | Use Infisical Cloud                                                                                                                                     | Deploy Infisical on premise                                                                                                                                                                                                                                                                                                                                                                                                                                           |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). | <a href="https://infisical.com/docs/self-hosting/deployment-options/aws-ec2"><img src=".github/images/deploy-to-aws.png" width="150" width="300" /></a> <a href="https://infisical.com/docs/self-hosting/deployment-options/digital-ocean-marketplace" alt="Deploy to DigitalOcean"> <img width="217" alt="Deploy to DO" src="https://www.deploytodo.com/do-btn-blue.svg"/> </a> <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
+| The fastest and most reliable way to <br> get started with Infisical is signing up <br> for free to [Infisical Cloud](https://app.infisical.com/login). |  <br> View all [deployment options](https://infisical.com/docs/self-hosting/overview) |
 
 ### Run Infisical locally
 

backend/package-lock.json

@@ -45,6 +45,7 @@
         "jsonwebtoken": "^9.0.2",
         "jsrp": "^0.2.4",
         "knex": "^3.0.1",
+        "ldapjs": "^3.0.7",
         "libsodium-wrappers": "^0.7.13",
         "lodash.isequal": "^4.5.0",
         "ms": "^2.1.3",
@@ -2510,6 +2511,83 @@
         "@jridgewell/sourcemap-codec": "^1.4.10"
       }
     },
+    "node_modules/@ldapjs/asn1": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/asn1/-/asn1-2.0.0.tgz",
+      "integrity": "sha512-G9+DkEOirNgdPmD0I8nu57ygQJKOOgFEMKknEuQvIHbGLwP3ny1mY+OTUYLCbCaGJP4sox5eYgBJRuSUpnAddA=="
+    },
+    "node_modules/@ldapjs/attribute": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/attribute/-/attribute-1.0.0.tgz",
+      "integrity": "sha512-ptMl2d/5xJ0q+RgmnqOi3Zgwk/TMJYG7dYMC0Keko+yZU6n+oFM59MjQOUht5pxJeS4FWrImhu/LebX24vJNRQ==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "@ldapjs/protocol": "^1.2.1",
+        "process-warning": "^2.1.0"
+      }
+    },
+    "node_modules/@ldapjs/change": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/change/-/change-1.0.0.tgz",
+      "integrity": "sha512-EOQNFH1RIku3M1s0OAJOzGfAohuFYXFY4s73wOhRm4KFGhmQQ7MChOh2YtYu9Kwgvuq1B0xKciXVzHCGkB5V+Q==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "@ldapjs/attribute": "1.0.0"
+      }
+    },
+    "node_modules/@ldapjs/controls": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/controls/-/controls-2.1.0.tgz",
+      "integrity": "sha512-2pFdD1yRC9V9hXfAWvCCO2RRWK9OdIEcJIos/9cCVP9O4k72BY1bLDQQ4KpUoJnl4y/JoD4iFgM+YWT3IfITWw==",
+      "dependencies": {
+        "@ldapjs/asn1": "^1.2.0",
+        "@ldapjs/protocol": "^1.2.1"
+      }
+    },
+    "node_modules/@ldapjs/controls/node_modules/@ldapjs/asn1": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/asn1/-/asn1-1.2.0.tgz",
+      "integrity": "sha512-KX/qQJ2xxzvO2/WOvr1UdQ+8P5dVvuOLk/C9b1bIkXxZss8BaR28njXdPgFCpj5aHaf1t8PmuVnea+N9YG9YMw=="
+    },
+    "node_modules/@ldapjs/dn": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/dn/-/dn-1.1.0.tgz",
+      "integrity": "sha512-R72zH5ZeBj/Fujf/yBu78YzpJjJXG46YHFo5E4W1EqfNpo1UsVPqdLrRMXeKIsJT3x9dJVIfR6OpzgINlKpi0A==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "process-warning": "^2.1.0"
+      }
+    },
+    "node_modules/@ldapjs/filter": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/@ldapjs/filter/-/filter-2.1.1.tgz",
+      "integrity": "sha512-TwPK5eEgNdUO1ABPBUQabcZ+h9heDORE4V9WNZqCtYLKc06+6+UAJ3IAbr0L0bYTnkkWC/JEQD2F+zAFsuikNw==",
+      "dependencies": {
+        "@ldapjs/asn1": "2.0.0",
+        "@ldapjs/protocol": "^1.2.1",
+        "process-warning": "^2.1.0"
+      }
+    },
+    "node_modules/@ldapjs/messages": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/@ldapjs/messages/-/messages-1.3.0.tgz",
+      "integrity": "sha512-K7xZpXJ21bj92jS35wtRbdcNrwmxAtPwy4myeh9duy/eR3xQKvikVycbdWVzkYEAVE5Ce520VXNOwCHjomjCZw==",
+      "dependencies": {
+        "@ldapjs/asn1": "^2.0.0",
+        "@ldapjs/attribute": "^1.0.0",
+        "@ldapjs/change": "^1.0.0",
+        "@ldapjs/controls": "^2.1.0",
+        "@ldapjs/dn": "^1.1.0",
+        "@ldapjs/filter": "^2.1.1",
+        "@ldapjs/protocol": "^1.2.1",
+        "process-warning": "^2.2.0"
+      }
+    },
+    "node_modules/@ldapjs/protocol": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@ldapjs/protocol/-/protocol-1.2.1.tgz",
+      "integrity": "sha512-O89xFDLW2gBoZWNXuXpBSM32/KealKCTb3JGtJdtUQc7RjAk8XzrRgyz02cPAwGKwKPxy0ivuC7UP9bmN87egQ=="
+    },
     "node_modules/@lukeed/ms": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/@lukeed/ms/-/ms-2.0.1.tgz",
@@ -9304,15 +9382,7 @@
         "node": ">=0.8.0"
       }
     },
-    "node_modules/ldapauth-fork/node_modules/lru-cache": {
-      "version": "7.18.3",
-      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz",
-      "integrity": "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==",
-      "engines": {
-        "node": ">=12"
-      }
-    },
-    "node_modules/ldapjs": {
+    "node_modules/ldapauth-fork/node_modules/ldapjs": {
       "version": "2.3.3",
       "resolved": "https://registry.npmjs.org/ldapjs/-/ldapjs-2.3.3.tgz",
       "integrity": "sha512-75QiiLJV/PQqtpH+HGls44dXweviFwQ6SiIK27EqzKQ5jU/7UFrl2E5nLdQ3IYRBzJ/AVFJI66u0MZ0uofKYwg==",
@@ -9330,6 +9400,35 @@
         "node": ">=10.13.0"
       }
     },
+    "node_modules/ldapauth-fork/node_modules/lru-cache": {
+      "version": "7.18.3",
+      "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-7.18.3.tgz",
+      "integrity": "sha512-jumlc0BIUrS3qJGgIkWZsyfAM7NCWiBcCDhnd+3NNM5KbBmLTgHVfWBcg6W+rLUsIpzpERPsvwUP7CckAQSOoA==",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/ldapjs": {
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/ldapjs/-/ldapjs-3.0.7.tgz",
+      "integrity": "sha512-1ky+WrN+4CFMuoekUOv7Y1037XWdjKpu0xAPwSP+9KdvmV9PG+qOKlssDV6a+U32apwxdD3is/BZcWOYzN30cg==",
+      "dependencies": {
+        "@ldapjs/asn1": "^2.0.0",
+        "@ldapjs/attribute": "^1.0.0",
+        "@ldapjs/change": "^1.0.0",
+        "@ldapjs/controls": "^2.1.0",
+        "@ldapjs/dn": "^1.1.0",
+        "@ldapjs/filter": "^2.1.1",
+        "@ldapjs/messages": "^1.3.0",
+        "@ldapjs/protocol": "^1.2.1",
+        "abstract-logging": "^2.0.1",
+        "assert-plus": "^1.0.0",
+        "backoff": "^2.5.0",
+        "once": "^1.4.0",
+        "vasync": "^2.2.1",
+        "verror": "^1.10.1"
+      }
+    },
     "node_modules/leven": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/leven/-/leven-2.1.0.tgz",

backend/package.json

@@ -106,6 +106,7 @@
     "jsonwebtoken": "^9.0.2",
     "jsrp": "^0.2.4",
     "knex": "^3.0.1",
+    "ldapjs": "^3.0.7",
     "libsodium-wrappers": "^0.7.13",
     "lodash.isequal": "^4.5.0",
     "ms": "^2.1.3",

backend/src/@types/knex.d.ts

@@ -74,6 +74,9 @@ import {
   TLdapConfigs,
   TLdapConfigsInsert,
   TLdapConfigsUpdate,
+  TLdapGroupMaps,
+  TLdapGroupMapsInsert,
+  TLdapGroupMapsUpdate,
   TOrganizations,
   TOrganizationsInsert,
   TOrganizationsUpdate,
@@ -398,6 +401,7 @@ declare module "knex/types/tables" {
     >;
     [TableName.SamlConfig]: Knex.CompositeTableType<TSamlConfigs, TSamlConfigsInsert, TSamlConfigsUpdate>;
     [TableName.LdapConfig]: Knex.CompositeTableType<TLdapConfigs, TLdapConfigsInsert, TLdapConfigsUpdate>;
+    [TableName.LdapGroupMap]: Knex.CompositeTableType<TLdapGroupMaps, TLdapGroupMapsInsert, TLdapGroupMapsUpdate>;
     [TableName.OrgBot]: Knex.CompositeTableType<TOrgBots, TOrgBotsInsert, TOrgBotsUpdate>;
     [TableName.AuditLog]: Knex.CompositeTableType<TAuditLogs, TAuditLogsInsert, TAuditLogsUpdate>;
     [TableName.GitAppInstallSession]: Knex.CompositeTableType<

backend/src/db/migrations/20240423023203_ldap-config-groups.ts

@@ -0,0 +1,34 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+import { createOnUpdateTrigger, dropOnUpdateTrigger } from "../utils";
+
+export async function up(knex: Knex): Promise<void> {
+  if (!(await knex.schema.hasTable(TableName.LdapGroupMap))) {
+    await knex.schema.createTable(TableName.LdapGroupMap, (t) => {
+      t.uuid("id", { primaryKey: true }).defaultTo(knex.fn.uuid());
+      t.uuid("ldapConfigId").notNullable();
+      t.foreign("ldapConfigId").references("id").inTable(TableName.LdapConfig).onDelete("CASCADE");
+      t.string("ldapGroupCN").notNullable();
+      t.uuid("groupId").notNullable();
+      t.foreign("groupId").references("id").inTable(TableName.Groups).onDelete("CASCADE");
+      t.unique(["ldapGroupCN", "groupId", "ldapConfigId"]);
+    });
+  }
+
+  await createOnUpdateTrigger(knex, TableName.LdapGroupMap);
+
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.string("groupSearchBase").notNullable().defaultTo("");
+    t.string("groupSearchFilter").notNullable().defaultTo("");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists(TableName.LdapGroupMap);
+  await dropOnUpdateTrigger(knex, TableName.LdapGroupMap);
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.dropColumn("groupSearchBase");
+    t.dropColumn("groupSearchFilter");
+  });
+}

backend/src/db/migrations/20240424235842_user-search-filter.ts

@@ -0,0 +1,15 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.string("searchFilter").notNullable().defaultTo("");
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable(TableName.LdapConfig, (t) => {
+    t.dropColumn("searchFilter");
+  });
+}

backend/src/db/schemas/index.ts

@@ -22,6 +22,7 @@ export * from "./incident-contacts";
 export * from "./integration-auths";
 export * from "./integrations";
 export * from "./ldap-configs";
+export * from "./ldap-group-maps";
 export * from "./models";
 export * from "./org-bots";
 export * from "./org-memberships";

backend/src/db/schemas/ldap-configs.ts

@@ -23,7 +23,10 @@ export const LdapConfigsSchema = z.object({
   caCertIV: z.string(),
   caCertTag: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  groupSearchBase: z.string().default(""),
+  groupSearchFilter: z.string().default(""),
+  searchFilter: z.string().default("")
 });
 
 export type TLdapConfigs = z.infer<typeof LdapConfigsSchema>;

backend/src/db/schemas/ldap-group-maps.ts

@@ -0,0 +1,19 @@
+// Code generated by automation script, DO NOT EDIT.
+// Automated by pulling database and generating zod schema
+// To update. Just run npm run generate:schema
+// Written by akhilmhdh.
+
+import { z } from "zod";
+
+import { TImmutableDBKeys } from "./models";
+
+export const LdapGroupMapsSchema = z.object({
+  id: z.string().uuid(),
+  ldapConfigId: z.string().uuid(),
+  ldapGroupCN: z.string(),
+  groupId: z.string().uuid()
+});
+
+export type TLdapGroupMaps = z.infer<typeof LdapGroupMapsSchema>;
+export type TLdapGroupMapsInsert = Omit<z.input<typeof LdapGroupMapsSchema>, TImmutableDBKeys>;
+export type TLdapGroupMapsUpdate = Partial<Omit<z.input<typeof LdapGroupMapsSchema>, TImmutableDBKeys>>;

backend/src/db/schemas/models.ts

@@ -60,6 +60,7 @@ export enum TableName {
   SecretRotationOutput = "secret_rotation_outputs",
   SamlConfig = "saml_configs",
   LdapConfig = "ldap_configs",
+  LdapGroupMap = "ldap_group_maps",
   AuditLog = "audit_logs",
   GitAppInstallSession = "git_app_install_sessions",
   GitAppOrg = "git_app_org",

backend/src/ee/routes/v1/ldap-router.ts

@@ -14,7 +14,9 @@ import { FastifyRequest } from "fastify";
 import LdapStrategy from "passport-ldapauth";
 import { z } from "zod";
 
-import { LdapConfigsSchema } from "@app/db/schemas";
+import { LdapConfigsSchema, LdapGroupMapsSchema } from "@app/db/schemas";
+import { TLDAPConfig } from "@app/ee/services/ldap-config/ldap-config-types";
+import { isValidLdapFilter, searchGroups } from "@app/ee/services/ldap-config/ldap-fns";
 import { getConfig } from "@app/lib/config/env";
 import { logger } from "@app/lib/logger";
 import { readLimit, writeLimit } from "@app/server/config/rateLimiter";
@@ -50,20 +52,38 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
       // eslint-disable-next-line
       async (req: IncomingMessage, user, cb) => {
         try {
+          const ldapConfig = (req as unknown as FastifyRequest).ldapConfig as TLDAPConfig;
+
+          let groups: { dn: string; cn: string }[] | undefined;
+          if (ldapConfig.groupSearchBase) {
+            const groupFilter = "(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))";
+            const groupSearchFilter = (ldapConfig.groupSearchFilter || groupFilter)
+              .replace(/{{\.Username}}/g, user.uid)
+              .replace(/{{\.UserDN}}/g, user.dn);
+
+            if (!isValidLdapFilter(groupSearchFilter)) {
+              throw new Error("Generated LDAP search filter is invalid.");
+            }
+
+            groups = await searchGroups(ldapConfig, groupSearchFilter, ldapConfig.groupSearchBase);
+          }
+
           const { isUserCompleted, providerAuthToken } = await server.services.ldap.ldapLogin({
+            ldapConfigId: ldapConfig.id,
             externalId: user.uidNumber,
             username: user.uid,
-            firstName: user.givenName,
-            lastName: user.sn,
+            firstName: user.givenName ?? user.cn ?? "",
+            lastName: user.sn ?? "",
             emails: user.mail ? [user.mail] : [],
+            groups,
             relayState: ((req as unknown as FastifyRequest).body as { RelayState?: string }).RelayState,
             orgId: (req as unknown as FastifyRequest).ldapConfig.organization
           });
 
           return cb(null, { isUserCompleted, providerAuthToken });
-        } catch (err) {
-          logger.error(err);
-          return cb(err, false);
+        } catch (error) {
+          logger.error(error);
+          return cb(error, false);
         }
       }
     )
@@ -117,6 +137,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           bindDN: z.string(),
           bindPass: z.string(),
           searchBase: z.string(),
+          searchFilter: z.string(),
+          groupSearchBase: z.string(),
+          groupSearchFilter: z.string(),
           caCert: z.string()
         })
       }
@@ -148,6 +171,12 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
         bindDN: z.string().trim(),
         bindPass: z.string().trim(),
         searchBase: z.string().trim(),
+        searchFilter: z.string().trim().default("(uid={{username}})"),
+        groupSearchBase: z.string().trim(),
+        groupSearchFilter: z
+          .string()
+          .trim()
+          .default("(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))"),
         caCert: z.string().trim().default("")
       }),
       response: {
@@ -183,6 +212,9 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
           bindDN: z.string().trim(),
           bindPass: z.string().trim(),
           searchBase: z.string().trim(),
+          searchFilter: z.string().trim(),
+          groupSearchBase: z.string().trim(),
+          groupSearchFilter: z.string().trim(),
           caCert: z.string().trim()
         })
         .partial()
@@ -204,4 +236,134 @@ export const registerLdapRouter = async (server: FastifyZodProvider) => {
       return ldap;
     }
   });
+
+  server.route({
+    method: "GET",
+    url: "/config/:configId/group-maps",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      response: {
+        200: z.array(
+          z.object({
+            id: z.string(),
+            ldapConfigId: z.string(),
+            ldapGroupCN: z.string(),
+            group: z.object({
+              id: z.string(),
+              name: z.string(),
+              slug: z.string()
+            })
+          })
+        )
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMaps = await server.services.ldap.getLdapGroupMaps({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId
+      });
+      return ldapGroupMaps;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config/:configId/group-maps",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      body: z.object({
+        ldapGroupCN: z.string().trim(),
+        groupSlug: z.string().trim()
+      }),
+      response: {
+        200: LdapGroupMapsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMap = await server.services.ldap.createLdapGroupMap({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId,
+        ...req.body
+      });
+      return ldapGroupMap;
+    }
+  });
+
+  server.route({
+    method: "DELETE",
+    url: "/config/:configId/group-maps/:groupMapId",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim(),
+        groupMapId: z.string().trim()
+      }),
+      response: {
+        200: LdapGroupMapsSchema
+      }
+    },
+    handler: async (req) => {
+      const ldapGroupMap = await server.services.ldap.deleteLdapGroupMap({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId,
+        ldapGroupMapId: req.params.groupMapId
+      });
+      return ldapGroupMap;
+    }
+  });
+
+  server.route({
+    method: "POST",
+    url: "/config/:configId/test-connection",
+    config: {
+      rateLimit: readLimit
+    },
+    onRequest: verifyAuth([AuthMode.JWT]),
+    schema: {
+      params: z.object({
+        configId: z.string().trim()
+      }),
+      response: {
+        200: z.boolean()
+      }
+    },
+    handler: async (req) => {
+      const result = await server.services.ldap.testLDAPConnection({
+        actor: req.permission.type,
+        actorId: req.permission.id,
+        orgId: req.permission.orgId,
+        actorAuthMethod: req.permission.authMethod,
+        actorOrgId: req.permission.orgId,
+        ldapConfigId: req.params.configId
+      });
+      return result;
+    }
+  });
 };

backend/src/ee/services/group/group-fns.ts

@@ -22,10 +22,6 @@ const addAcceptedUsersToGroup = async ({
   projectBotDAL,
   tx
 }: TAddUsersToGroup) => {
-  console.log("addAcceptedUsersToGroup args: ", {
-    userIds,
-    group
-  });
   const users = await userDAL.findUserEncKeyByUserIdsBatch(
     {
       userIds

backend/src/ee/services/ldap-config/ldap-config-service.ts

@@ -2,6 +2,9 @@ import { ForbiddenError } from "@casl/ability";
 import jwt from "jsonwebtoken";
 
 import { OrgMembershipRole, OrgMembershipStatus, SecretKeyEncoding, TLdapConfigsUpdate } from "@app/db/schemas";
+import { TGroupDALFactory } from "@app/ee/services/group/group-dal";
+import { addUsersToGroupByUserIds, removeUsersFromGroupByUserIds } from "@app/ee/services/group/group-fns";
+import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { getConfig } from "@app/lib/config/env";
 import {
   decryptSymmetric,
@@ -13,8 +16,12 @@ import {
 } from "@app/lib/crypto/encryption";
 import { BadRequestError } from "@app/lib/errors";
 import { AuthMethod, AuthTokenType } from "@app/services/auth/auth-type";
+import { TGroupProjectDALFactory } from "@app/services/group-project/group-project-dal";
 import { TOrgBotDALFactory } from "@app/services/org/org-bot-dal";
 import { TOrgDALFactory } from "@app/services/org/org-dal";
+import { TProjectDALFactory } from "@app/services/project/project-dal";
+import { TProjectBotDALFactory } from "@app/services/project-bot/project-bot-dal";
+import { TProjectKeyDALFactory } from "@app/services/project-key/project-key-dal";
 import { TUserDALFactory } from "@app/services/user/user-dal";
 import { normalizeUsername } from "@app/services/user/user-fns";
 import { TUserAliasDALFactory } from "@app/services/user-alias/user-alias-dal";
@@ -23,16 +30,40 @@ import { TLicenseServiceFactory } from "../license/license-service";
 import { OrgPermissionActions, OrgPermissionSubjects } from "../permission/org-permission";
 import { TPermissionServiceFactory } from "../permission/permission-service";
 import { TLdapConfigDALFactory } from "./ldap-config-dal";
-import { TCreateLdapCfgDTO, TGetLdapCfgDTO, TLdapLoginDTO, TUpdateLdapCfgDTO } from "./ldap-config-types";
+import {
+  TCreateLdapCfgDTO,
+  TCreateLdapGroupMapDTO,
+  TDeleteLdapGroupMapDTO,
+  TGetLdapCfgDTO,
+  TGetLdapGroupMapsDTO,
+  TLdapLoginDTO,
+  TTestLdapConnectionDTO,
+  TUpdateLdapCfgDTO
+} from "./ldap-config-types";
+import { testLDAPConfig } from "./ldap-fns";
+import { TLdapGroupMapDALFactory } from "./ldap-group-map-dal";
 
 type TLdapConfigServiceFactoryDep = {
-  ldapConfigDAL: TLdapConfigDALFactory;
+  ldapConfigDAL: Pick<TLdapConfigDALFactory, "create" | "update" | "findOne">;
+  ldapGroupMapDAL: Pick<TLdapGroupMapDALFactory, "find" | "create" | "delete" | "findLdapGroupMapsByLdapConfigId">;
   orgDAL: Pick<
     TOrgDALFactory,
     "createMembership" | "updateMembershipById" | "findMembership" | "findOrgById" | "findOne" | "updateById"
   >;
   orgBotDAL: Pick<TOrgBotDALFactory, "findOne" | "create" | "transaction">;
-  userDAL: Pick<TUserDALFactory, "create" | "findOne" | "transaction" | "updateById">;
+  groupDAL: Pick<TGroupDALFactory, "find" | "findOne">;
+  groupProjectDAL: Pick<TGroupProjectDALFactory, "find">;
+  projectKeyDAL: Pick<TProjectKeyDALFactory, "find" | "findLatestProjectKey" | "insertMany" | "delete">;
+  projectDAL: Pick<TProjectDALFactory, "findProjectGhostUser">;
+  projectBotDAL: Pick<TProjectBotDALFactory, "findOne">;
+  userGroupMembershipDAL: Pick<
+    TUserGroupMembershipDALFactory,
+    "find" | "transaction" | "insertMany" | "filterProjectsByUserMembership" | "delete"
+  >;
+  userDAL: Pick<
+    TUserDALFactory,
+    "create" | "findOne" | "transaction" | "updateById" | "findUserEncKeyByUserIdsBatch" | "find"
+  >;
   userAliasDAL: Pick<TUserAliasDALFactory, "create" | "findOne">;
   permissionService: Pick<TPermissionServiceFactory, "getOrgPermission">;
   licenseService: Pick<TLicenseServiceFactory, "getPlan">;
@@ -42,8 +73,15 @@ export type TLdapConfigServiceFactory = ReturnType<typeof ldapConfigServiceFacto
 
 export const ldapConfigServiceFactory = ({
   ldapConfigDAL,
+  ldapGroupMapDAL,
   orgDAL,
   orgBotDAL,
+  groupDAL,
+  groupProjectDAL,
+  projectKeyDAL,
+  projectDAL,
+  projectBotDAL,
+  userGroupMembershipDAL,
   userDAL,
   userAliasDAL,
   permissionService,
@@ -60,6 +98,9 @@ export const ldapConfigServiceFactory = ({
     bindDN,
     bindPass,
     searchBase,
+    searchFilter,
+    groupSearchBase,
+    groupSearchFilter,
     caCert
   }: TCreateLdapCfgDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -135,6 +176,9 @@ export const ldapConfigServiceFactory = ({
       bindPassIV,
       bindPassTag,
       searchBase,
+      searchFilter,
+      groupSearchBase,
+      groupSearchFilter,
       encryptedCACert,
       caCertIV,
       caCertTag
@@ -154,6 +198,9 @@ export const ldapConfigServiceFactory = ({
     bindDN,
     bindPass,
     searchBase,
+    searchFilter,
+    groupSearchBase,
+    groupSearchFilter,
     caCert
   }: TUpdateLdapCfgDTO) => {
     const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
@@ -169,7 +216,10 @@ export const ldapConfigServiceFactory = ({
     const updateQuery: TLdapConfigsUpdate = {
       isActive,
       url,
-      searchBase
+      searchBase,
+      searchFilter,
+      groupSearchBase,
+      groupSearchFilter
     };
 
     const orgBot = await orgBotDAL.findOne({ orgId });
@@ -271,6 +321,9 @@ export const ldapConfigServiceFactory = ({
       bindDN,
       bindPass,
       searchBase: ldapConfig.searchBase,
+      searchFilter: ldapConfig.searchFilter,
+      groupSearchBase: ldapConfig.groupSearchBase,
+      groupSearchFilter: ldapConfig.groupSearchFilter,
       caCert
     };
   };
@@ -304,8 +357,8 @@ export const ldapConfigServiceFactory = ({
         bindDN: ldapConfig.bindDN,
         bindCredentials: ldapConfig.bindPass,
         searchBase: ldapConfig.searchBase,
-        searchFilter: "(uid={{username}})",
-        searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],
+        searchFilter: ldapConfig.searchFilter || "(uid={{username}})",
+        // searchAttributes: ["uid", "uidNumber", "givenName", "sn", "mail"],
         ...(ldapConfig.caCert !== ""
           ? {
               tlsOptions: {
@@ -320,7 +373,17 @@ export const ldapConfigServiceFactory = ({
     return { opts, ldapConfig };
   };
 
-  const ldapLogin = async ({ externalId, username, firstName, lastName, emails, orgId, relayState }: TLdapLoginDTO) => {
+  const ldapLogin = async ({
+    ldapConfigId,
+    externalId,
+    username,
+    firstName,
+    lastName,
+    emails,
+    groups,
+    orgId,
+    relayState
+  }: TLdapLoginDTO) => {
     const appCfg = getConfig();
     let userAlias = await userAliasDAL.findOne({
       externalId,
@@ -394,7 +457,84 @@ export const ldapConfigServiceFactory = ({
       });
     }
 
-    const user = await userDAL.findOne({ id: userAlias.userId });
+    const user = await userDAL.transaction(async (tx) => {
+      const newUser = await userDAL.findOne({ id: userAlias.userId }, tx);
+      if (groups) {
+        const ldapGroupIdsToBePartOf = (
+          await ldapGroupMapDAL.find({
+            ldapConfigId,
+            $in: {
+              ldapGroupCN: groups.map((group) => group.cn)
+            }
+          })
+        ).map((groupMap) => groupMap.groupId);
+
+        const groupsToBePartOf = await groupDAL.find({
+          orgId,
+          $in: {
+            id: ldapGroupIdsToBePartOf
+          }
+        });
+        const toBePartOfGroupIdsSet = new Set(groupsToBePartOf.map((groupToBePartOf) => groupToBePartOf.id));
+
+        const allLdapGroupMaps = await ldapGroupMapDAL.find({
+          ldapConfigId
+        });
+
+        const ldapGroupIdsCurrentlyPartOf = (
+          await userGroupMembershipDAL.find({
+            userId: newUser.id,
+            $in: {
+              groupId: allLdapGroupMaps.map((groupMap) => groupMap.groupId)
+            }
+          })
+        ).map((userGroupMembership) => userGroupMembership.groupId);
+
+        const userGroupMembershipGroupIdsSet = new Set(ldapGroupIdsCurrentlyPartOf);
+
+        for await (const group of groupsToBePartOf) {
+          if (!userGroupMembershipGroupIdsSet.has(group.id)) {
+            // add user to group that they should be part of
+            await addUsersToGroupByUserIds({
+              group,
+              userIds: [newUser.id],
+              userDAL,
+              userGroupMembershipDAL,
+              orgDAL,
+              groupProjectDAL,
+              projectKeyDAL,
+              projectDAL,
+              projectBotDAL,
+              tx
+            });
+          }
+        }
+
+        const groupsCurrentlyPartOf = await groupDAL.find({
+          orgId,
+          $in: {
+            id: ldapGroupIdsCurrentlyPartOf
+          }
+        });
+
+        for await (const group of groupsCurrentlyPartOf) {
+          if (!toBePartOfGroupIdsSet.has(group.id)) {
+            // remove user from group that they should no longer be part of
+            await removeUsersFromGroupByUserIds({
+              group,
+              userIds: [newUser.id],
+              userDAL,
+              userGroupMembershipDAL,
+              groupProjectDAL,
+              projectKeyDAL,
+              tx
+            });
+          }
+        }
+      }
+
+      return newUser;
+    });
 
     const isUserCompleted = Boolean(user.isAccepted);
 
@@ -424,6 +564,116 @@ export const ldapConfigServiceFactory = ({
     return { isUserCompleted, providerAuthToken };
   };
 
+  const getLdapGroupMaps = async ({
+    ldapConfigId,
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TGetLdapGroupMapsDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Read, OrgPermissionSubjects.Ldap);
+
+    const ldapConfig = await ldapConfigDAL.findOne({
+      id: ldapConfigId,
+      orgId
+    });
+
+    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+
+    const groupMaps = await ldapGroupMapDAL.findLdapGroupMapsByLdapConfigId(ldapConfigId);
+
+    return groupMaps;
+  };
+
+  const createLdapGroupMap = async ({
+    ldapConfigId,
+    ldapGroupCN,
+    groupSlug,
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TCreateLdapGroupMapDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message: "Failed to create LDAP group map due to plan restriction. Upgrade plan to create LDAP group map."
+      });
+
+    const ldapConfig = await ldapConfigDAL.findOne({
+      id: ldapConfigId,
+      orgId
+    });
+    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+
+    const group = await groupDAL.findOne({ slug: groupSlug, orgId });
+    if (!group) throw new BadRequestError({ message: "Failed to find group" });
+
+    const groupMap = await ldapGroupMapDAL.create({
+      ldapConfigId,
+      ldapGroupCN,
+      groupId: group.id
+    });
+
+    return groupMap;
+  };
+
+  const deleteLdapGroupMap = async ({
+    ldapConfigId,
+    ldapGroupMapId,
+    actor,
+    actorId,
+    orgId,
+    actorAuthMethod,
+    actorOrgId
+  }: TDeleteLdapGroupMapDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Delete, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message: "Failed to delete LDAP group map due to plan restriction. Upgrade plan to delete LDAP group map."
+      });
+
+    const ldapConfig = await ldapConfigDAL.findOne({
+      id: ldapConfigId,
+      orgId
+    });
+
+    if (!ldapConfig) throw new BadRequestError({ message: "Failed to find organization LDAP data" });
+
+    const [deletedGroupMap] = await ldapGroupMapDAL.delete({
+      ldapConfigId: ldapConfig.id,
+      id: ldapGroupMapId
+    });
+
+    return deletedGroupMap;
+  };
+
+  const testLDAPConnection = async ({ actor, actorId, orgId, actorAuthMethod, actorOrgId }: TTestLdapConnectionDTO) => {
+    const { permission } = await permissionService.getOrgPermission(actor, actorId, orgId, actorAuthMethod, actorOrgId);
+    ForbiddenError.from(permission).throwUnlessCan(OrgPermissionActions.Create, OrgPermissionSubjects.Ldap);
+
+    const plan = await licenseService.getPlan(orgId);
+    if (!plan.ldap)
+      throw new BadRequestError({
+        message: "Failed to test LDAP connection due to plan restriction. Upgrade plan to test the LDAP connection."
+      });
+
+    const ldapConfig = await getLdapCfg({
+      orgId
+    });
+
+    return testLDAPConfig(ldapConfig);
+  };
+
   return {
     createLdapCfg,
     updateLdapCfg,
@@ -431,6 +681,10 @@ export const ldapConfigServiceFactory = ({
     getLdapCfg,
     // getLdapPassportOpts,
     ldapLogin,
-    bootLdap
+    bootLdap,
+    getLdapGroupMaps,
+    createLdapGroupMap,
+    deleteLdapGroupMap,
+    testLDAPConnection
   };
 };

backend/src/ee/services/ldap-config/ldap-config-types.ts

@@ -1,5 +1,18 @@
 import { TOrgPermission } from "@app/lib/types";
 
+export type TLDAPConfig = {
+  id: string;
+  organization: string;
+  isActive: boolean;
+  url: string;
+  bindDN: string;
+  bindPass: string;
+  searchBase: string;
+  groupSearchBase: string;
+  groupSearchFilter: string;
+  caCert: string;
+};
+
 export type TCreateLdapCfgDTO = {
   orgId: string;
   isActive: boolean;
@@ -7,6 +20,9 @@ export type TCreateLdapCfgDTO = {
   bindDN: string;
   bindPass: string;
   searchBase: string;
+  searchFilter: string;
+  groupSearchBase: string;
+  groupSearchFilter: string;
   caCert: string;
 } & TOrgPermission;
 
@@ -18,6 +34,9 @@ export type TUpdateLdapCfgDTO = {
   bindDN: string;
   bindPass: string;
   searchBase: string;
+  searchFilter: string;
+  groupSearchBase: string;
+  groupSearchFilter: string;
   caCert: string;
 }> &
   TOrgPermission;
@@ -27,11 +46,35 @@ export type TGetLdapCfgDTO = {
 } & TOrgPermission;
 
 export type TLdapLoginDTO = {
+  ldapConfigId: string;
   externalId: string;
   username: string;
   firstName: string;
   lastName: string;
   emails: string[];
   orgId: string;
+  groups?: {
+    dn: string;
+    cn: string;
+  }[];
   relayState?: string;
 };
+
+export type TGetLdapGroupMapsDTO = {
+  ldapConfigId: string;
+} & TOrgPermission;
+
+export type TCreateLdapGroupMapDTO = {
+  ldapConfigId: string;
+  ldapGroupCN: string;
+  groupSlug: string;
+} & TOrgPermission;
+
+export type TDeleteLdapGroupMapDTO = {
+  ldapConfigId: string;
+  ldapGroupMapId: string;
+} & TOrgPermission;
+
+export type TTestLdapConnectionDTO = {
+  ldapConfigId: string;
+} & TOrgPermission;

backend/src/ee/services/ldap-config/ldap-fns.ts

@@ -0,0 +1,119 @@
+import ldapjs from "ldapjs";
+
+import { logger } from "@app/lib/logger";
+
+import { TLDAPConfig } from "./ldap-config-types";
+
+export const isValidLdapFilter = (filter: string) => {
+  try {
+    ldapjs.parseFilter(filter);
+    return true;
+  } catch (error) {
+    logger.error("Invalid LDAP filter");
+    logger.error(error);
+    return false;
+  }
+};
+
+/**
+ * Test the LDAP configuration by attempting to bind to the LDAP server
+ * @param ldapConfig - The LDAP configuration to test
+ * @returns {Boolean} isConnected - Whether or not the connection was successful
+ */
+export const testLDAPConfig = async (ldapConfig: TLDAPConfig): Promise<boolean> => {
+  return new Promise((resolve) => {
+    const ldapClient = ldapjs.createClient({
+      url: ldapConfig.url,
+      bindDN: ldapConfig.bindDN,
+      bindCredentials: ldapConfig.bindPass,
+      ...(ldapConfig.caCert !== ""
+        ? {
+            tlsOptions: {
+              ca: [ldapConfig.caCert]
+            }
+          }
+        : {})
+    });
+
+    ldapClient.on("error", (err) => {
+      logger.error("LDAP client error:", err);
+      logger.error(err);
+      resolve(false);
+    });
+
+    ldapClient.bind(ldapConfig.bindDN, ldapConfig.bindPass, (err) => {
+      if (err) {
+        logger.error("Error binding to LDAP");
+        logger.error(err);
+        ldapClient.unbind();
+        resolve(false);
+      } else {
+        logger.info("Successfully connected and bound to LDAP.");
+        ldapClient.unbind();
+        resolve(true);
+      }
+    });
+  });
+};
+
+/**
+ * Search for groups in the LDAP server
+ * @param ldapConfig - The LDAP configuration to use
+ * @param filter - The filter to use when searching for groups
+ * @param base - The base to search from
+ * @returns
+ */
+export const searchGroups = async (
+  ldapConfig: TLDAPConfig,
+  filter: string,
+  base: string
+): Promise<{ dn: string; cn: string }[]> => {
+  return new Promise((resolve, reject) => {
+    const ldapClient = ldapjs.createClient({
+      url: ldapConfig.url,
+      bindDN: ldapConfig.bindDN,
+      bindCredentials: ldapConfig.bindPass,
+      ...(ldapConfig.caCert !== ""
+        ? {
+            tlsOptions: {
+              ca: [ldapConfig.caCert]
+            }
+          }
+        : {})
+    });
+
+    ldapClient.search(
+      base,
+      {
+        filter,
+        scope: "sub"
+      },
+      (err, res) => {
+        if (err) {
+          ldapClient.unbind();
+          return reject(err);
+        }
+
+        const groups: { dn: string; cn: string }[] = [];
+
+        res.on("searchEntry", (entry) => {
+          const dn = entry.dn.toString();
+          const regex = /cn=([^,]+)/;
+          const match = dn.match(regex);
+          // parse the cn from the dn
+          const cn = (match && match[1]) as string;
+
+          groups.push({ dn, cn });
+        });
+        res.on("error", (error) => {
+          ldapClient.unbind();
+          reject(error);
+        });
+        res.on("end", () => {
+          ldapClient.unbind();
+          resolve(groups);
+        });
+      }
+    );
+  });
+};

backend/src/ee/services/ldap-config/ldap-group-map-dal.ts

@@ -0,0 +1,41 @@
+import { TDbClient } from "@app/db";
+import { TableName } from "@app/db/schemas";
+import { DatabaseError } from "@app/lib/errors";
+import { ormify, selectAllTableCols } from "@app/lib/knex";
+
+export type TLdapGroupMapDALFactory = ReturnType<typeof ldapGroupMapDALFactory>;
+
+export const ldapGroupMapDALFactory = (db: TDbClient) => {
+  const ldapGroupMapOrm = ormify(db, TableName.LdapGroupMap);
+
+  const findLdapGroupMapsByLdapConfigId = async (ldapConfigId: string) => {
+    try {
+      const docs = await db(TableName.LdapGroupMap)
+        .where(`${TableName.LdapGroupMap}.ldapConfigId`, ldapConfigId)
+        .join(TableName.Groups, `${TableName.LdapGroupMap}.groupId`, `${TableName.Groups}.id`)
+        .select(selectAllTableCols(TableName.LdapGroupMap))
+        .select(
+          db.ref("id").withSchema(TableName.Groups).as("groupId"),
+          db.ref("name").withSchema(TableName.Groups).as("groupName"),
+          db.ref("slug").withSchema(TableName.Groups).as("groupSlug")
+        );
+
+      return docs.map((doc) => {
+        return {
+          id: doc.id,
+          ldapConfigId: doc.ldapConfigId,
+          ldapGroupCN: doc.ldapGroupCN,
+          group: {
+            id: doc.groupId,
+            name: doc.groupName,
+            slug: doc.groupSlug
+          }
+        };
+      });
+    } catch (error) {
+      throw new DatabaseError({ error, name: "findGroupMaps" });
+    }
+  };
+
+  return { ...ldapGroupMapOrm, findLdapGroupMapsByLdapConfigId };
+};

backend/src/ee/services/saml-config/saml-config-service.ts

@@ -340,11 +340,12 @@ export const samlConfigServiceFactory = ({
               orgId,
               inviteEmail: email,
               role: OrgMembershipRole.Member,
-              status: OrgMembershipStatus.Accepted
+              status: user.isAccepted ? OrgMembershipStatus.Accepted : OrgMembershipStatus.Invited // if user is fully completed, then set status to accepted, otherwise set it to invited so we can update it later
             },
             tx
           );
-        } else if (orgMembership.status === OrgMembershipStatus.Invited) {
+          // Only update the membership to Accepted if the user account is already completed.
+        } else if (orgMembership.status === OrgMembershipStatus.Invited && user.isAccepted) {
           await orgDAL.updateMembershipById(
             orgMembership.id,
             {

backend/src/ee/services/secret-approval-request/secret-approval-request-service.ts

@@ -495,7 +495,11 @@ export const secretApprovalRequestServiceFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "GenSecretApproval" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "GenSecretApproval"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });

backend/src/server/routes/index.ts

@@ -18,6 +18,7 @@ import { identityProjectAdditionalPrivilegeDALFactory } from "@app/ee/services/i
 import { identityProjectAdditionalPrivilegeServiceFactory } from "@app/ee/services/identity-project-additional-privilege/identity-project-additional-privilege-service";
 import { ldapConfigDALFactory } from "@app/ee/services/ldap-config/ldap-config-dal";
 import { ldapConfigServiceFactory } from "@app/ee/services/ldap-config/ldap-config-service";
+import { ldapGroupMapDALFactory } from "@app/ee/services/ldap-config/ldap-group-map-dal";
 import { licenseDALFactory } from "@app/ee/services/license/license-dal";
 import { licenseServiceFactory } from "@app/ee/services/license/license-service";
 import { permissionDALFactory } from "@app/ee/services/permission/permission-dal";
@@ -200,6 +201,7 @@ export const registerRoutes = async (
   const samlConfigDAL = samlConfigDALFactory(db);
   const scimDAL = scimDALFactory(db);
   const ldapConfigDAL = ldapConfigDALFactory(db);
+  const ldapGroupMapDAL = ldapGroupMapDALFactory(db);
   const sapApproverDAL = secretApprovalPolicyApproverDALFactory(db);
   const secretApprovalPolicyDAL = secretApprovalPolicyDALFactory(db);
   const secretApprovalRequestDAL = secretApprovalRequestDALFactory(db);
@@ -300,8 +302,15 @@ export const registerRoutes = async (
 
   const ldapService = ldapConfigServiceFactory({
     ldapConfigDAL,
+    ldapGroupMapDAL,
     orgDAL,
     orgBotDAL,
+    groupDAL,
+    groupProjectDAL,
+    projectKeyDAL,
+    projectDAL,
+    projectBotDAL,
+    userGroupMembershipDAL,
     userDAL,
     userAliasDAL,
     permissionService,

backend/src/server/routes/v1/project-env-router.ts

@@ -1,3 +1,4 @@
+import slugify from "@sindresorhus/slugify";
 import { z } from "zod";
 
 import { ProjectEnvironmentsSchema } from "@app/db/schemas";
@@ -26,7 +27,13 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
       }),
       body: z.object({
         name: z.string().trim().describe(ENVIRONMENTS.CREATE.name),
-        slug: z.string().trim().describe(ENVIRONMENTS.CREATE.slug)
+        slug: z
+          .string()
+          .trim()
+          .refine((v) => slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .describe(ENVIRONMENTS.CREATE.slug)
       }),
       response: {
         200: z.object({
@@ -84,7 +91,14 @@ export const registerProjectEnvRouter = async (server: FastifyZodProvider) => {
         id: z.string().trim().describe(ENVIRONMENTS.UPDATE.id)
       }),
       body: z.object({
-        slug: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.slug),
+        slug: z
+          .string()
+          .trim()
+          .optional()
+          .refine((v) => !v || slugify(v) === v, {
+            message: "Slug must be a valid slug"
+          })
+          .describe(ENVIRONMENTS.UPDATE.slug),
         name: z.string().trim().optional().describe(ENVIRONMENTS.UPDATE.name),
         position: z.number().optional().describe(ENVIRONMENTS.UPDATE.position)
       }),

backend/src/services/auth/auth-login-service.ts

@@ -191,7 +191,7 @@ export const authLoginServiceFactory = ({
       const decodedProviderToken = validateProviderAuthToken(providerAuthToken, email);
 
       authMethod = decodedProviderToken.authMethod;
-      if (isAuthMethodSaml(authMethod) && decodedProviderToken.orgId) {
+      if ((isAuthMethodSaml(authMethod) || authMethod === AuthMethod.LDAP) && decodedProviderToken.orgId) {
         organizationId = decodedProviderToken.orgId;
       }
     }

backend/src/services/auth/auth-signup-service.ts

@@ -4,6 +4,7 @@ import { OrgMembershipStatus } from "@app/db/schemas";
 import { convertPendingGroupAdditionsToGroupMemberships } from "@app/ee/services/group/group-fns";
 import { TUserGroupMembershipDALFactory } from "@app/ee/services/group/user-group-membership-dal";
 import { TLicenseServiceFactory } from "@app/ee/services/license/license-service";
+import { isAuthMethodSaml } from "@app/ee/services/permission/permission-fns";
 import { getConfig } from "@app/lib/config/env";
 import { BadRequestError } from "@app/lib/errors";
 import { isDisposableEmail } from "@app/lib/validator";
@@ -139,9 +140,11 @@ export const authSignupServiceFactory = ({
       throw new Error("Failed to complete account for complete user");
     }
 
-    let organizationId;
+    let organizationId: string | null = null;
+    let authMethod: AuthMethod | null = null;
     if (providerAuthToken) {
-      const { orgId } = validateProviderAuthToken(providerAuthToken, user.username);
+      const { orgId, authMethod: userAuthMethod } = validateProviderAuthToken(providerAuthToken, user.username);
+      authMethod = userAuthMethod;
       organizationId = orgId;
     } else {
       validateSignUpAuthorization(authorization, user.id);
@@ -165,6 +168,26 @@ export const authSignupServiceFactory = ({
         },
         tx
       );
+      // If it's SAML Auth and the organization ID is present, we should check if the user has a pending invite for this org, and accept it
+      if (isAuthMethodSaml(authMethod) && organizationId) {
+        const [pendingOrgMembership] = await orgDAL.findMembership({
+          inviteEmail: email,
+          userId: user.id,
+          status: OrgMembershipStatus.Invited,
+          orgId: organizationId
+        });
+
+        if (pendingOrgMembership) {
+          await orgDAL.updateMembershipById(
+            pendingOrgMembership.id,
+            {
+              status: OrgMembershipStatus.Accepted
+            },
+            tx
+          );
+        }
+      }
+
       return { info: us, key: userEncKey };
     });
 

backend/src/services/secret-import/secret-import-fns.ts

@@ -1,33 +1,66 @@
-import { SecretType, TSecretImports } from "@app/db/schemas";
+import { SecretType, TSecretImports, TSecrets } from "@app/db/schemas";
 import { groupBy } from "@app/lib/fn";
 
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretFolderDALFactory } from "../secret-folder/secret-folder-dal";
+import { TSecretImportDALFactory } from "./secret-import-dal";
 
+type TSecretImportSecrets = {
+  secretPath: string;
+  environment: string;
+  environmentInfo: {
+    id: string;
+    slug: string;
+    name: string;
+  };
+  folderId: string | undefined;
+  importFolderId: string;
+  secrets: (TSecrets & { workspace: string; environment: string; _id: string })[];
+};
+
+const LEVEL_BREAK = 10;
+const getImportUniqKey = (envSlug: string, path: string) => `${envSlug}=${path}`;
 export const fnSecretsFromImports = async ({
-  allowedImports,
+  allowedImports: possibleCyclicImports,
   folderDAL,
-  secretDAL
+  secretDAL,
+  secretImportDAL,
+  depth = 0,
+  cyclicDetector = new Set()
 }: {
   allowedImports: (Omit<TSecretImports, "importEnv"> & {
     importEnv: { id: string; slug: string; name: string };
   })[];
   folderDAL: Pick<TSecretFolderDALFactory, "findByManySecretPath">;
   secretDAL: Pick<TSecretDALFactory, "find">;
+  secretImportDAL: Pick<TSecretImportDALFactory, "findByFolderIds">;
+  depth?: number;
+  cyclicDetector?: Set<string>;
 }) => {
-  const importedFolders = await folderDAL.findByManySecretPath(
-    allowedImports.map(({ importEnv, importPath }) => ({
-      envId: importEnv.id,
-      secretPath: importPath
-    }))
+  // avoid going more than a depth
+  if (depth >= LEVEL_BREAK) return [];
+
+  const allowedImports = possibleCyclicImports.filter(
+    ({ importPath, importEnv }) => !cyclicDetector.has(getImportUniqKey(importEnv.slug, importPath))
   );
-  const folderIds = importedFolders.map((el) => el?.id).filter(Boolean) as string[];
-  if (!folderIds.length) {
+
+  const importedFolders = (
+    await folderDAL.findByManySecretPath(
+      allowedImports.map(({ importEnv, importPath }) => ({
+        envId: importEnv.id,
+        secretPath: importPath
+      }))
+    )
+  ).filter(Boolean); // remove undefined ones
+  if (!importedFolders.length) {
     return [];
   }
+
+  const importedFolderIds = importedFolders.map((el) => el?.id) as string[];
+  const importedFolderGroupBySourceImport = groupBy(importedFolders, (i) => `${i?.envId}-${i?.path}`);
   const importedSecrets = await secretDAL.find(
     {
-      $in: { folderId: folderIds },
+      $in: { folderId: importedFolderIds },
       type: SecretType.Shared
     },
     {
@@ -35,18 +68,50 @@ export const fnSecretsFromImports = async ({
     }
   );
 
-  const importedSecsGroupByFolderId = groupBy(importedSecrets, (i) => i.folderId);
-  return allowedImports.map(({ importPath, importEnv }, i) => ({
-    secretPath: importPath,
-    environment: importEnv.slug,
-    environmentInfo: importEnv,
-    folderId: importedFolders?.[i]?.id,
-    // this will ensure for cases when secrets are empty. Could be due to missing folder for a path or when emtpy secrets inside a given path
-    secrets: (importedSecsGroupByFolderId?.[importedFolders?.[i]?.id as string] || []).map((item) => ({
-      ...item,
+  const importedSecretsGroupByFolderId = groupBy(importedSecrets, (i) => i.folderId);
+
+  allowedImports.forEach(({ importPath, importEnv }) => {
+    cyclicDetector.add(getImportUniqKey(importEnv.slug, importPath));
+  });
+  // now we need to check recursively deeper imports made inside other imports
+  // we go level wise meaning we take all imports of a tree level and then go deeper ones level by level
+  const deeperImports = await secretImportDAL.findByFolderIds(importedFolderIds);
+  let secretsFromDeeperImports: TSecretImportSecrets[] = [];
+  if (deeperImports.length) {
+    secretsFromDeeperImports = await fnSecretsFromImports({
+      allowedImports: deeperImports,
+      secretImportDAL,
+      folderDAL,
+      secretDAL,
+      depth: depth + 1,
+      cyclicDetector
+    });
+  }
+  const secretsFromdeeperImportGroupedByFolderId = groupBy(secretsFromDeeperImports, (i) => i.importFolderId);
+
+  const secrets = allowedImports.map(({ importPath, importEnv, id, folderId }, i) => {
+    const sourceImportFolder = importedFolderGroupBySourceImport[`${importEnv.id}-${importPath}`][0];
+    const folderDeeperImportSecrets =
+      secretsFromdeeperImportGroupedByFolderId?.[sourceImportFolder?.id || ""]?.[0]?.secrets || [];
+
+    return {
+      secretPath: importPath,
       environment: importEnv.slug,
-      workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-      _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
-    }))
-  }));
+      environmentInfo: importEnv,
+      folderId: importedFolders?.[i]?.id,
+      id,
+      importFolderId: folderId,
+      // this will ensure for cases when secrets are empty. Could be due to missing folder for a path or when emtpy secrets inside a given path
+      secrets: (importedSecretsGroupByFolderId?.[importedFolders?.[i]?.id as string] || [])
+        .map((item) => ({
+          ...item,
+          environment: importEnv.slug,
+          workspace: "", // This field should not be used, it's only here to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+          _id: item.id // The old Python SDK depends on the _id field being returned. We return this to keep the older Python SDK versions backwards compatible with the new Postgres backend.
+        }))
+        .concat(folderDeeperImportSecrets)
+    };
+  });
+
+  return secrets;
 };

backend/src/services/secret-import/secret-import-service.ts

@@ -290,7 +290,7 @@ export const secretImportServiceFactory = ({
         })
       )
     );
-    return fnSecretsFromImports({ allowedImports, folderDAL, secretDAL });
+    return fnSecretsFromImports({ allowedImports, folderDAL, secretDAL, secretImportDAL });
   };
 
   return {

backend/src/services/secret/secret-fns.ts

@@ -575,7 +575,11 @@ export const createManySecretsRawFnFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Create secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
@@ -680,7 +684,11 @@ export const updateManySecretsRawFnFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, secretPath);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Update secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Update secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });

backend/src/services/secret/secret-service.ts

@@ -182,7 +182,11 @@ export const secretServiceFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Create secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
@@ -278,7 +282,11 @@ export const secretServiceFactory = ({
     }
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Create secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
@@ -394,7 +402,11 @@ export const secretServiceFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Create secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
@@ -513,7 +525,8 @@ export const secretServiceFactory = ({
       const importedSecrets = await fnSecretsFromImports({
         allowedImports,
         secretDAL,
-        folderDAL
+        folderDAL,
+        secretImportDAL
       });
 
       return {
@@ -562,7 +575,11 @@ export const secretServiceFactory = ({
       subject(ProjectPermissionSub.Secrets, { environment, secretPath: path })
     );
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Create secret"
+      });
     const folderId = folder.id;
 
     const secretBlindIndex = await interalGenSecBlindIndexByName(projectId, secretName);
@@ -614,7 +631,8 @@ export const secretServiceFactory = ({
       const importedSecrets = await fnSecretsFromImports({
         allowedImports,
         secretDAL,
-        folderDAL
+        folderDAL,
+        secretImportDAL
       });
       for (let i = importedSecrets.length - 1; i >= 0; i -= 1) {
         for (let j = 0; j < importedSecrets[i].secrets.length; j += 1) {
@@ -658,7 +676,11 @@ export const secretServiceFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Create secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
@@ -727,7 +749,11 @@ export const secretServiceFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Update secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Update secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });
@@ -813,7 +839,11 @@ export const secretServiceFactory = ({
     await projectDAL.checkProjectUpgradeStatus(projectId);
 
     const folder = await folderDAL.findBySecretPath(projectId, environment, path);
-    if (!folder) throw new BadRequestError({ message: "Folder not  found", name: "Create secret" });
+    if (!folder)
+      throw new BadRequestError({
+        message: "Folder not found for the given environment slug & secret path",
+        name: "Create secret"
+      });
     const folderId = folder.id;
 
     const blindIndexCfg = await secretBlindIndexDAL.findOne({ projectId });

cli/packages/cmd/folder.go

@@ -22,10 +22,6 @@ var folderCmd = &cobra.Command{
 var getCmd = &cobra.Command{
 	Use:   "get",
 	Short: "Get folders in a directory",
-	PersistentPreRun: func(cmd *cobra.Command, args []string) {
-		util.RequireLocalWorkspaceFile()
-		util.RequireLogin()
-	},
 	Run: func(cmd *cobra.Command, args []string) {
 
 		environmentName, _ := cmd.Flags().GetString("env")

cli/packages/cmd/secrets.go

@@ -7,6 +7,7 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
+	"os"
 	"regexp"
 	"sort"
 	"strings"
@@ -204,8 +205,10 @@ var secretsSetCmd = &cobra.Command{
 		// decrypt workspace key
 		plainTextEncryptionKey := crypto.DecryptAsymmetric(encryptedWorkspaceKey, encryptedWorkspaceKeyNonce, encryptedWorkspaceKeySenderPublicKey, currentUsersPrivateKey)
 
+		infisicalTokenEnv := os.Getenv(util.INFISICAL_TOKEN_NAME)
+
 		// pull current secrets
-		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, SecretsPath: secretsPath}, "")
+		secrets, err := util.GetAllEnvironmentVariables(models.GetAllSecretsParameters{Environment: environmentName, SecretsPath: secretsPath, InfisicalToken: infisicalTokenEnv}, "")
 		if err != nil {
 			util.HandleError(err, "unable to retrieve secrets")
 		}

cli/packages/util/folders.go

@@ -2,7 +2,6 @@ package util
 
 import (
 	"fmt"
-	"os"
 	"strings"
 
 	"github.com/Infisical/infisical-merge/packages/api"
@@ -13,13 +12,11 @@ import (
 
 func GetAllFolders(params models.GetAllFoldersParameters) ([]models.SingleFolder, error) {
 
-	if params.InfisicalToken == "" {
-		params.InfisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
-	}
-
 	var foldersToReturn []models.SingleFolder
 	var folderErr error
 	if params.InfisicalToken == "" && params.UniversalAuthAccessToken == "" {
+		RequireLogin()
+		RequireLocalWorkspaceFile()
 
 		log.Debug().Msg("GetAllFolders: Trying to fetch folders using logged in details")
 

cli/packages/util/secrets.go

@@ -307,10 +307,6 @@ func FilterSecretsByTag(plainTextSecrets []models.SingleEnvironmentVariable, tag
 }
 
 func GetAllEnvironmentVariables(params models.GetAllSecretsParameters, projectConfigFilePath string) ([]models.SingleEnvironmentVariable, error) {
-	if params.InfisicalToken == "" {
-		params.InfisicalToken = os.Getenv(INFISICAL_TOKEN_NAME)
-	}
-
 	isConnected := CheckIsConnectedToInternet()
 	var secretsToReturn []models.SingleEnvironmentVariable
 	// var serviceTokenDetails api.GetServiceTokenDetailsResponse

docs/documentation/platform/ldap.mdx

@@ -1,36 +0,0 @@
----
-title: "LDAP"
-description: "Log in to Infisical with LDAP"
----
-
-<Info>
-    LDAP is a paid feature.
-   
-   If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
-   then you should contact sales@infisical.com to purchase an enterprise license to use it.
-</Info>
-
-You can configure your organization in Infisical to have members authenticate with the platform via [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol).
-
-<Steps>
-   <Step title="Prepare the LDAP configuration in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
-        
-        Next, input your LDAP server settings.
-        
-        ![LDAP configuration](/images/platform/ldap/ldap-config.png)
-        
-        Here's some guidance for each field:
-
-        - URL: The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.
-        - Bind DN: The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`.
-        - Bind Pass: The password to use along with `Bind DN` when performing the user search.
-        - Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=example,dc=com`
-        - CA Certificate: The CA certificate to use when verifying the LDAP server certificate.
-   </Step>
-   <Step title="Enable LDAP in Infisical">
-        Enabling LDAP allows members in your organization to log into Infisical via LDAP.
-        
-        ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
-   </Step>
-</Steps>

docs/documentation/platform/ldap/general.mdx

@@ -4,16 +4,17 @@ description: "Learn how to log in to Infisical with LDAP."
 ---
 
 <Info>
-    LDAP is a paid feature.
-   If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
-   then you should contact sales@infisical.com to purchase an enterprise license to use it.
+  LDAP is a paid feature. If you're using Infisical Cloud, then it is available
+  under the **Enterprise Tier**. If you're self-hosting Infisical, then you
+  should contact sales@infisical.com to purchase an enterprise license to use
+  it.
 </Info>
 
 You can configure your organization in Infisical to have members authenticate with the platform via [LDAP](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol)
 
 <Steps>
    <Step title="Prepare the LDAP configuration in Infisical">
-        In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
+        In Infisical, head to your Organization Settings > Security > LDAP and select **Manage**.
 
         Next, input your LDAP server settings.
 
@@ -24,11 +25,50 @@ You can configure your organization in Infisical to have members authenticate wi
         - URL: The LDAP server to connect to such as `ldap://ldap.your-org.com`, `ldaps://ldap.myorg.com:636` (for connection over SSL/TLS), etc.
         - Bind DN: The distinguished name of object to bind when performing the user search such as `cn=infisical,ou=Users,dc=acme,dc=com`.
         - Bind Pass: The password to use along with `Bind DN` when performing the user search.
-        - Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=example,dc=com`
+        - User Search Base / User DN: Base DN under which to perform user search such as `ou=Users,dc=acme,dc=com`.
+        - User Search Filter (optional): Template used to construct the LDAP user search filter such as `(uid={{username}})`; use literal `{{username}}` to have the given username used in the search. The default is `(uid={{username}})` which is compatible with several common directory schemas.
+        - Group Search Base / Group DN (optional): LDAP search base to use for group membership search such as `ou=Groups,dc=acme,dc=com`.
+        - Group Filter (optional): Template used when constructing the group membership query such as `(&(objectClass=posixGroup)(memberUid={{.Username}}))`. The template can access the following context variables: [`UserDN`, `UserName`]. The default is `(|(memberUid={{.Username}})(member={{.UserDN}})(uniqueMember={{.UserDN}}))` which is compatible with several common directory schemas.
         - CA Certificate: The CA certificate to use when verifying the LDAP server certificate.
+
+     <Note>
+          The **Group Search Base / Group DN** and **Group Filter** fields are both required if you wish to sync LDAP groups to Infisical.
+     </Note>
+
+   </Step>
+   <Step title="Test the LDAP connection">
+      Once you've filled out the LDAP configuration, you can test that part of the configuration is correct by pressing the **Test Connection** button.
+
+      Infisical will attempt to bind to the LDAP server using the provided **URL**, **Bind DN**, and **Bind Pass**. If the operation is successful, then Infisical will display a success message; if not, then Infisical will display an error message and provide a fuller error in the server logs.
+
+        ![LDAP test connection](/images/platform/ldap/ldap-test-connection.png)
+    </Step>
+
+   <Step title="Define mappings from LDAP groups to groups in Infisical">
+     In order to sync LDAP groups to Infisical, head to the **LDAP Group Mappings** section to define mappings from LDAP groups to groups in Infisical.
+     
+     ![LDAP group mappings section](/images/platform/ldap/ldap-group-mappings-section.png)
+     
+     Group mappings ensure that users who log into Infisical via LDAP are added to or removed from the Infisical group(s) that corresponds to the LDAP group(s) they are a member of.
+     
+     ![LDAP group mappings table](/images/platform/ldap/ldap-group-mappings-table.png)
+     
+     Each group mapping consists of two parts: 
+     - LDAP Group CN: The common name of the LDAP group to map.
+     - Infisical Group: The Infisical group to map the LDAP group to.
+     
+     For example, suppose you want to automatically add a user who is part of the LDAP group with CN `Engineers` to the Infisical group `Engineers` when the user sets up their account with Infisical.
+     
+     In this case, you would specify a mapping from the LDAP group with CN `Engineers` to the Infisical group `Engineers`.
+     Now when the user logs into Infisical via LDAP, Infisical will check the LDAP groups that the user is a part of whilst referencing the group mappings you created earlier. Since the user is a member of the LDAP group with CN `Engineers`, they will be added to the Infisical group `Engineers`.
+     In the future, if the user is no longer part of the LDAP group with CN `Engineers`, they will be removed from the Infisical group `Engineers` upon their next login.
+     <Note>
+          Prior to defining any group mappings, ensure that you've created the Infisical groups that you want to map the LDAP groups to.
+          You can read more about creating (user) groups in Infisical [here](/documentation/platform/groups).
+     </Note>
    </Step>
    <Step title="Enable LDAP in Infisical">
         Enabling LDAP allows members in your organization to log into Infisical via LDAP.
         ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
    </Step>
-</Steps>
+</Steps>

docs/documentation/platform/ldap/jumpcloud.mdx

@@ -4,9 +4,10 @@ description: "Learn how to configure JumpCloud LDAP for authenticating into Infi
 ---
 
 <Info>
-    LDAP is a paid feature.
-    If you're using Infisical Cloud, then it is available under the **Enterprise Tier**. If you're self-hosting Infisical,
-    then you should contact sales@infisical.com to purchase an enterprise license to use it.
+  LDAP is a paid feature. If you're using Infisical Cloud, then it is available
+  under the **Enterprise Tier**. If you're self-hosting Infisical, then you
+  should contact sales@infisical.com to purchase an enterprise license to use
+  it.
 </Info>
 
 <Steps>
@@ -17,13 +18,12 @@ description: "Learn how to configure JumpCloud LDAP for authenticating into Infi
         When creating the user, input their **First Name**, **Last Name**, **Username** (required), **Company Email** (required), and **Description**.
         Also, create a password for the user.
 
-        Next, under User Security Settings and Permissions > Permission Settings, check the box next to **Enable as LDAP Bind DN**. 
+        Next, under User Security Settings and Permissions > Permission Settings, check the box next to **Enable as LDAP Bind DN**.
 
         ![LDAP JumpCloud](/images/platform/ldap/jumpcloud/ldap-jumpcloud-enable-bind-dn.png)
-
     </Step>
     <Step title="Prepare the LDAP configuration in Infisical">
-            In Infisical, head to your Organization Settings > Authentication > LDAP Configuration and select **Set up LDAP**.
+            In Infisical, head to your Organization Settings > Security > LDAP and select **Manage**.
 
             Next, input your JumpCloud LDAP server settings.
 
@@ -34,21 +34,57 @@ description: "Learn how to configure JumpCloud LDAP for authenticating into Infi
             - URL: The LDAP server to connect to (`ldaps://ldap.jumpcloud.com:636`).
             - Bind DN: The distinguished name of object to bind when performing the user search (`uid=<ldap-user-username>,ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
             - Bind Pass: The password to use along with `Bind DN` when performing the user search.
-            - Search Base / User DN: Base DN under which to perform user search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - User Search Base / User DN: Base DN under which to perform user search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - User Search Filter (optional): Template used to construct the LDAP user search filter (`(uid={{username}})`).
+            - Group Search Base / Group DN (optional): LDAP search base to use for group membership search (`ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com`).
+            - Group Filter (optional): Template used when constructing the group membership query (`(&(objectClass=groupOfNames)(member=uid={{.Username}},ou=Users,o=<your-org-id>,dc=jumpcloud,dc=com))`)
             - CA Certificate: The CA certificate to use when verifying the LDAP server certificate (instructions to obtain the certificate for JumpCloud [here](https://jumpcloud.com/support/connect-to-ldap-with-tls-ssl)).
 
             <Tip>
                 When filling out the **Bind DN** and **Bind Pass** fields, refer to the username and password of the user created in Step 1.
 
-                Also, for the **Bind DN** and **Search Base / User DN** fields, you'll want to use the organization ID that appears 
+                Also, for the **Bind DN** and **Search Base / User DN** fields, you'll want to use the organization ID that appears
                 in your LDAP instance **ORG DN**.
             </Tip>
     </Step>
+    <Step title="Test the LDAP connection">
+      Once you've filled out the LDAP configuration, you can test that part of the configuration is correct by pressing the **Test Connection** button.
+
+      Infisical will attempt to bind to the LDAP server using the provided **URL**, **Bind DN**, and **Bind Pass**. If the operation is successful, then Infisical will display a success message; if not, then Infisical will display an error message and provide a fuller error in the server logs.
+
+        ![LDAP test connection](/images/platform/ldap/ldap-test-connection.png)
+    </Step>
+    <Step title="Define mappings from LDAP groups to groups in Infisical">
+     In order to sync LDAP groups to Infisical, head to the **LDAP Group Mappings** section to define mappings from LDAP groups to groups in Infisical.
+
+     ![LDAP group mappings section](/images/platform/ldap/ldap-group-mappings-section.png)
+
+     Group mappings ensure that users who log into Infisical via LDAP are added to or removed from the Infisical group(s) that corresponds to the LDAP group(s) they are a member of.
+
+     ![LDAP group mappings table](/images/platform/ldap/ldap-group-mappings-table.png)
+
+     Each group mapping consists of two parts:
+     - LDAP Group CN: The common name of the LDAP group to map.
+     - Infisical Group: The Infisical group to map the LDAP group to.
+
+     For example, suppose you want to automatically add a user who is part of the LDAP group with CN `Engineers` to the Infisical group `Engineers` when the user sets up their account with Infisical.
+
+     In this case, you would specify a mapping from the LDAP group with CN `Engineers` to the Infisical group `Engineers`.
+     Now when the user logs into Infisical via LDAP, Infisical will check the LDAP groups that the user is a part of whilst referencing the group mappings you created earlier. Since the user is a member of the LDAP group with CN `Engineers`, they will be added to the Infisical group `Engineers`.
+     In the future, if the user is no longer part of the LDAP group with CN `Engineers`, they will be removed from the Infisical group `Engineers` upon their next login.
+     <Note>
+          Prior to defining any group mappings, ensure that you've created the Infisical groups that you want to map the LDAP groups to.
+          You can read more about creating (user) groups in Infisical [here](/documentation/platform/groups).
+     </Note>
+
+   </Step>
     <Step title="Enable LDAP in Infisical">
             Enabling LDAP allows members in your organization to log into Infisical via LDAP.
             ![LDAP toggle](/images/platform/ldap/ldap-toggle.png)
     </Step>
+
 </Steps>
 
 Resources:
-- [JumpCloud Cloud LDAP Guide](https://jumpcloud.com/support/use-cloud-ldap)
+
+- [JumpCloud Cloud LDAP Guide](https://jumpcloud.com/support/use-cloud-ldap)

docs/self-hosting/deployment-options/kubernetes-helm.mdx

@@ -22,7 +22,7 @@ description: "Learn how to use Helm chart to install Infisical on your Kubernete
   </Step>
   <Step title="Select Infisical version">
     By default, the Infisical version set in your helm chart will likely be outdated. 
-    Choose the latest Infisical docker image tag from here [here](https://hub.docker.com/r/infisical/infisical/tags).
+    Choose the latest Infisical docker image tag from [here](https://hub.docker.com/r/infisical/infisical/tags).
     
 
     ```yaml values.yaml

frontend/package-lock.json

@@ -38,6 +38,7 @@
         "@radix-ui/react-toast": "^1.1.5",
         "@radix-ui/react-tooltip": "^1.0.7",
         "@reduxjs/toolkit": "^1.8.3",
+        "@sindresorhus/slugify": "^2.2.1",
         "@stripe/react-stripe-js": "^1.16.3",
         "@stripe/stripe-js": "^1.46.0",
         "@tanstack/react-query": "^4.23.0",
@@ -5776,6 +5777,57 @@
       "integrity": "sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==",
       "dev": true
     },
+    "node_modules/@sindresorhus/slugify": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/slugify/-/slugify-2.2.1.tgz",
+      "integrity": "sha512-MkngSCRZ8JdSOCHRaYd+D01XhvU3Hjy6MGl06zhOk614hp9EOAp5gIkBeQg7wtmxpitU6eAL4kdiRMcJa2dlrw==",
+      "dependencies": {
+        "@sindresorhus/transliterate": "^1.0.0",
+        "escape-string-regexp": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@sindresorhus/slugify/node_modules/escape-string-regexp": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-5.0.0.tgz",
+      "integrity": "sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@sindresorhus/transliterate": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/@sindresorhus/transliterate/-/transliterate-1.6.0.tgz",
+      "integrity": "sha512-doH1gimEu3A46VX6aVxpHTeHrytJAG6HgdxntYnCFiIFHEM/ZGpG8KiZGBChchjQmG0XFIBL552kBTjVcMZXwQ==",
+      "dependencies": {
+        "escape-string-regexp": "^5.0.0"
+      },
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@sindresorhus/transliterate/node_modules/escape-string-regexp": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/escape-string-regexp/-/escape-string-regexp-5.0.0.tgz",
+      "integrity": "sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/@storybook/addon-actions": {
       "version": "7.6.8",
       "resolved": "https://registry.npmjs.org/@storybook/addon-actions/-/addon-actions-7.6.8.tgz",

frontend/package.json

@@ -46,6 +46,7 @@
     "@radix-ui/react-toast": "^1.1.5",
     "@radix-ui/react-tooltip": "^1.0.7",
     "@reduxjs/toolkit": "^1.8.3",
+    "@sindresorhus/slugify": "^2.2.1",
     "@stripe/react-stripe-js": "^1.16.3",
     "@stripe/stripe-js": "^1.46.0",
     "@tanstack/react-query": "^4.23.0",

frontend/src/components/v2/InfisicalSecretInput/InfisicalSecretInput.tsx

@@ -0,0 +1,375 @@
+import { TextareaHTMLAttributes, useEffect, useRef, useState } from "react";
+import { faCircle, faFolder, faKey } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import * as Popover from "@radix-ui/react-popover";
+import { twMerge } from "tailwind-merge";
+
+import { useWorkspace } from "@app/context";
+import { useDebounce } from "@app/hooks";
+import { useGetFoldersByEnv, useGetProjectSecrets, useGetUserWsKey } from "@app/hooks/api";
+
+import { SecretInput } from "../SecretInput";
+
+const REGEX_UNCLOSED_SECRET_REFERENCE = /\${(?![^{}]*\})/g;
+const REGEX_OPEN_SECRET_REFERENCE = /\${/g;
+
+export enum ReferenceType {
+  ENVIRONMENT = "environment",
+  FOLDER = "folder",
+  SECRET = "secret"
+}
+
+type Props = TextareaHTMLAttributes<HTMLTextAreaElement> & {
+  value?: string | null;
+  isImport?: boolean;
+  isVisible?: boolean;
+  isReadOnly?: boolean;
+  isDisabled?: boolean;
+  secretPath?: string;
+  environment?: string;
+  containerClassName?: string;
+};
+
+type ReferenceItem = {
+  name: string;
+  type: ReferenceType;
+  slug?: string;
+};
+
+export const InfisicalSecretInput = ({
+  value: propValue,
+  isVisible,
+  containerClassName,
+  onBlur,
+  isDisabled,
+  isImport,
+  isReadOnly,
+  secretPath: propSecretPath,
+  environment: propEnvironment,
+  onChange,
+  ...props
+}: Props) => {
+  const [inputValue, setInputValue] = useState(propValue ?? "");
+  const [isSuggestionsOpen, setIsSuggestionsOpen] = useState(false);
+  const [currentCursorPosition, setCurrentCursorPosition] = useState(0);
+  const [currentReference, setCurrentReference] = useState<string>("");
+  const [secretPath, setSecretPath] = useState<string>(propSecretPath || "/");
+  const [environment, setEnvironment] = useState<string | undefined>(propEnvironment);
+  const { currentWorkspace } = useWorkspace();
+  const workspaceId = currentWorkspace?.id || "";
+  const { data: decryptFileKey } = useGetUserWsKey(workspaceId);
+  const { data: secrets } = useGetProjectSecrets({
+    decryptFileKey: decryptFileKey!,
+    environment: environment || currentWorkspace?.environments?.[0].slug!,
+    secretPath,
+    workspaceId
+  });
+  const { folderNames: folders } = useGetFoldersByEnv({
+    path: secretPath,
+    environments: [environment || currentWorkspace?.environments?.[0].slug!],
+    projectId: workspaceId
+  });
+
+  const debouncedCurrentReference = useDebounce(currentReference, 100);
+
+  const [listReference, setListReference] = useState<ReferenceItem[]>([]);
+  const [highlightedIndex, setHighlightedIndex] = useState(-1);
+  const inputRef = useRef<HTMLTextAreaElement>(null);
+
+  useEffect(() => {
+    setInputValue(propValue ?? "");
+  }, [propValue]);
+
+  useEffect(() => {
+    let currentEnvironment = propEnvironment;
+    let currentSecretPath = propSecretPath || "/";
+
+    if (!currentReference) {
+      setSecretPath(currentSecretPath);
+      setEnvironment(currentEnvironment);
+      return;
+    }
+
+    const isNested = currentReference.includes(".");
+
+    if (isNested) {
+      const [envSlug, ...folderPaths] = currentReference.split(".");
+      const isValidEnvSlug = currentWorkspace?.environments.find((e) => e.slug === envSlug);
+      currentEnvironment = isValidEnvSlug ? envSlug : undefined;
+
+      // should be based on the last valid section (with .)
+      folderPaths.pop();
+      currentSecretPath = `/${folderPaths?.join("/")}`;
+    }
+
+    setSecretPath(currentSecretPath);
+    setEnvironment(currentEnvironment);
+  }, [debouncedCurrentReference]);
+
+  useEffect(() => {
+    const currentListReference: ReferenceItem[] = [];
+    const isNested = currentReference?.includes(".");
+
+    if (!currentReference) {
+      setListReference(currentListReference);
+      return;
+    }
+
+    if (!environment) {
+      currentWorkspace?.environments.forEach((env) => {
+        currentListReference.unshift({
+          name: env.slug,
+          type: ReferenceType.ENVIRONMENT
+        });
+      });
+    } else if (isNested) {
+      folders?.forEach((folder) => {
+        currentListReference.unshift({ name: folder, type: ReferenceType.FOLDER });
+      });
+    } else if (environment) {
+      currentWorkspace?.environments.forEach((env) => {
+        currentListReference.unshift({
+          name: env.slug,
+          type: ReferenceType.ENVIRONMENT
+        });
+      });
+    }
+
+    secrets?.forEach((secret) => {
+      currentListReference.unshift({ name: secret.key, type: ReferenceType.SECRET });
+    });
+
+    // Get fragment inside currentReference
+    const searchFragment = isNested ? currentReference.split(".").pop() || "" : currentReference;
+    const filteredListRef = currentListReference
+      .filter((suggestionEntry) =>
+        suggestionEntry.name.toUpperCase().startsWith(searchFragment.toUpperCase())
+      )
+      .sort((a, b) => a.name.toLowerCase().localeCompare(b.name.toLowerCase()));
+
+    setListReference(filteredListRef);
+  }, [secrets, environment, debouncedCurrentReference]);
+
+  const getIndexOfUnclosedRefToTheLeft = (pos: number) => {
+    // take substring up to pos in order to consider edits for closed references
+    const unclosedReferenceIndexMatches = [
+      ...inputValue.substring(0, pos).matchAll(REGEX_UNCLOSED_SECRET_REFERENCE)
+    ].map((match) => match.index);
+
+    // find unclosed reference index less than the current cursor position
+    let indexIter = -1;
+    unclosedReferenceIndexMatches.forEach((index) => {
+      if (index !== undefined && index > indexIter && index < pos) {
+        indexIter = index;
+      }
+    });
+
+    return indexIter;
+  };
+
+  const getIndexOfUnclosedRefToTheRight = (pos: number) => {
+    const unclosedReferenceIndexMatches = [...inputValue.matchAll(REGEX_OPEN_SECRET_REFERENCE)].map(
+      (match) => match.index
+    );
+
+    // find the next unclosed reference index to the right of the current cursor position
+    // this is so that we know the limitation for slicing references
+    let indexIter = Infinity;
+    unclosedReferenceIndexMatches.forEach((index) => {
+      if (index !== undefined && index > pos && index < indexIter) {
+        indexIter = index;
+      }
+    });
+
+    return indexIter;
+  };
+
+  const handleKeyUp = (e: React.KeyboardEvent<HTMLTextAreaElement>) => {
+    // open suggestions if current position is to the right of an unclosed secret reference
+    const indexIter = getIndexOfUnclosedRefToTheLeft(currentCursorPosition);
+    if (indexIter === -1) {
+      return;
+    }
+
+    setIsSuggestionsOpen(true);
+
+    if (e.key !== "Enter") {
+      // current reference is then going to be based on the text from the closest ${ to the right
+      // until the current cursor position
+      const openReferenceValue = inputValue.slice(indexIter + 2, currentCursorPosition);
+      setCurrentReference(openReferenceValue);
+    }
+  };
+
+  const handleSuggestionSelect = (selectedIndex?: number) => {
+    const selectedSuggestion = listReference[selectedIndex ?? highlightedIndex];
+
+    if (!selectedSuggestion) {
+      return;
+    }
+
+    const leftIndexIter = getIndexOfUnclosedRefToTheLeft(currentCursorPosition);
+    const rightIndexLimit = getIndexOfUnclosedRefToTheRight(currentCursorPosition);
+
+    if (leftIndexIter === -1) {
+      return;
+    }
+
+    let newValue = "";
+    const currentOpenRef = inputValue.slice(leftIndexIter + 2, currentCursorPosition);
+    if (currentOpenRef.includes(".")) {
+      // append suggestion after last DOT (.)
+      const lastDotIndex = currentReference.lastIndexOf(".");
+      const existingPath = currentReference.slice(0, lastDotIndex);
+      const refEndAfterAppending = Math.min(
+        leftIndexIter +
+          3 +
+          existingPath.length +
+          selectedSuggestion.name.length +
+          Number(selectedSuggestion.type !== ReferenceType.SECRET),
+        rightIndexLimit - 1
+      );
+
+      newValue = `${inputValue.slice(0, leftIndexIter + 2)}${existingPath}.${
+        selectedSuggestion.name
+      }${selectedSuggestion.type !== ReferenceType.SECRET ? "." : "}"}${inputValue.slice(
+        refEndAfterAppending
+      )}`;
+      const openReferenceValue = newValue.slice(leftIndexIter + 2, refEndAfterAppending);
+      setCurrentReference(openReferenceValue);
+
+      // add 1 in order to prevent referenceOpen from being triggered by handleKeyUp
+      setCurrentCursorPosition(refEndAfterAppending + 1);
+    } else {
+      // append selectedSuggestion at position after unclosed ${
+      const refEndAfterAppending = Math.min(
+        selectedSuggestion.name.length +
+          leftIndexIter +
+          2 +
+          Number(selectedSuggestion.type !== ReferenceType.SECRET),
+        rightIndexLimit - 1
+      );
+
+      newValue = `${inputValue.slice(0, leftIndexIter + 2)}${selectedSuggestion.name}${
+        selectedSuggestion.type !== ReferenceType.SECRET ? "." : "}"
+      }${inputValue.slice(refEndAfterAppending)}`;
+
+      const openReferenceValue = newValue.slice(leftIndexIter + 2, refEndAfterAppending);
+      setCurrentReference(openReferenceValue);
+      setCurrentCursorPosition(refEndAfterAppending);
+    }
+
+    onChange?.({ target: { value: newValue } } as any);
+    setInputValue(newValue);
+    setHighlightedIndex(-1);
+    setIsSuggestionsOpen(false);
+  };
+
+  const handleKeyDown = (e: React.KeyboardEvent<HTMLTextAreaElement>) => {
+    const mod = (n: number, m: number) => ((n % m) + m) % m;
+    if (e.key === "ArrowDown") {
+      setHighlightedIndex((prevIndex) => mod(prevIndex + 1, listReference.length));
+    } else if (e.key === "ArrowUp") {
+      setHighlightedIndex((prevIndex) => mod(prevIndex - 1, listReference.length));
+    } else if (e.key === "Enter" && highlightedIndex >= 0) {
+      handleSuggestionSelect();
+    }
+    if (["ArrowDown", "ArrowUp", "Enter"].includes(e.key)) {
+      e.preventDefault();
+    }
+  };
+
+  const setIsOpen = (isOpen: boolean) => {
+    setHighlightedIndex(-1);
+
+    if (isSuggestionsOpen) {
+      setIsSuggestionsOpen(isOpen);
+    }
+  };
+
+  const handleSecretChange = (e: any) => {
+    // propagate event to react-hook-form onChange
+    if (onChange) {
+      onChange(e);
+    }
+
+    setCurrentCursorPosition(inputRef.current?.selectionStart || 0);
+    setInputValue(e.target.value);
+  };
+
+  return (
+    <Popover.Root
+      open={isSuggestionsOpen && listReference.length > 0 && currentReference.length > 0}
+      onOpenChange={setIsOpen}
+    >
+      <Popover.Trigger asChild>
+        <SecretInput
+          {...props}
+          ref={inputRef}
+          onKeyDown={handleKeyDown}
+          onKeyUp={handleKeyUp}
+          value={inputValue}
+          onChange={handleSecretChange}
+          containerClassName={containerClassName}
+        />
+      </Popover.Trigger>
+      <Popover.Content
+        align="start"
+        onOpenAutoFocus={(e) => e.preventDefault()}
+        className={twMerge(
+          "relative top-2 z-[100] overflow-hidden rounded-md border border-mineshaft-600 bg-mineshaft-900 font-inter text-bunker-100 shadow-md"
+        )}
+        style={{
+          width: "var(--radix-popover-trigger-width)",
+          maxHeight: "var(--radix-select-content-available-height)"
+        }}
+      >
+        <div className="max-w-60 h-full w-full flex-col items-center justify-center rounded-md text-white">
+          {listReference.map((item, i) => {
+            let entryIcon;
+            if (item.type === ReferenceType.SECRET) {
+              entryIcon = faKey;
+            } else if (item.type === ReferenceType.ENVIRONMENT) {
+              entryIcon = faCircle;
+            } else {
+              entryIcon = faFolder;
+            }
+
+            return (
+              <div
+                tabIndex={0}
+                role="button"
+                onMouseDown={(e) => {
+                  e.preventDefault();
+                  setHighlightedIndex(i);
+                  handleSuggestionSelect(i);
+                }}
+                style={{ pointerEvents: "auto" }}
+                className="flex items-center justify-between border-mineshaft-600 text-left"
+                key={`secret-reference-secret-${i + 1}`}
+              >
+                <div
+                  className={`${
+                    highlightedIndex === i ? "bg-gray-600" : ""
+                  } text-md relative mb-0.5 flex w-full cursor-pointer select-none items-center justify-between rounded-md px-2 py-2 outline-none transition-all hover:bg-mineshaft-500 data-[highlighted]:bg-mineshaft-500`}
+                >
+                  <div className="flex gap-2">
+                    <div className="flex items-center text-yellow-700">
+                      <FontAwesomeIcon
+                        icon={entryIcon}
+                        size={item.type === ReferenceType.ENVIRONMENT ? "xs" : "1x"}
+                      />
+                    </div>
+                    <div className="text-md w-10/12 truncate text-left">{item.name}</div>
+                  </div>
+                </div>
+              </div>
+            );
+          })}
+        </div>
+      </Popover.Content>
+    </Popover.Root>
+  );
+};
+
+InfisicalSecretInput.displayName = "InfisicalSecretInput";

frontend/src/components/v2/InfisicalSecretInput/index.tsx

@@ -0,0 +1 @@
+export { InfisicalSecretInput } from "./InfisicalSecretInput";

frontend/src/hooks/api/ldapConfig/index.tsx

@@ -1 +1,7 @@
-export { useCreateLDAPConfig, useGetLDAPConfig, useUpdateLDAPConfig } from "./queries";
+export {
+  useCreateLDAPConfig,
+  useCreateLDAPGroupMapping,
+  useDeleteLDAPGroupMapping,
+  useTestLDAPConnection,
+  useUpdateLDAPConfig} from "./mutations";
+export { useGetLDAPConfig, useGetLDAPGroupMaps } from "./queries";

frontend/src/hooks/api/ldapConfig/mutations.tsx

@@ -0,0 +1,155 @@
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+
+import { apiRequest } from "@app/config/request";
+
+import { ldapConfigKeys } from "./queries";
+
+export const useCreateLDAPConfig = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({
+      organizationId,
+      isActive,
+      url,
+      bindDN,
+      bindPass,
+      searchBase,
+      searchFilter,
+      groupSearchBase,
+      groupSearchFilter,
+      caCert
+    }: {
+      organizationId: string;
+      isActive: boolean;
+      url: string;
+      bindDN: string;
+      bindPass: string;
+      searchBase: string;
+      searchFilter: string;
+      groupSearchBase: string;
+      groupSearchFilter: string;
+      caCert?: string;
+    }) => {
+      const { data } = await apiRequest.post("/api/v1/ldap/config", {
+        organizationId,
+        isActive,
+        url,
+        bindDN,
+        bindPass,
+        searchBase,
+        searchFilter,
+        groupSearchBase,
+        groupSearchFilter,
+        caCert
+      });
+
+      return data;
+    },
+    onSuccess(_, dto) {
+      queryClient.invalidateQueries(ldapConfigKeys.getLDAPConfig(dto.organizationId));
+    }
+  });
+};
+
+export const useUpdateLDAPConfig = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({
+      organizationId,
+      isActive,
+      url,
+      bindDN,
+      bindPass,
+      searchBase,
+      searchFilter,
+      groupSearchBase,
+      groupSearchFilter,
+      caCert
+    }: {
+      organizationId: string;
+      isActive?: boolean;
+      url?: string;
+      bindDN?: string;
+      bindPass?: string;
+      searchBase?: string;
+      searchFilter?: string;
+      groupSearchBase?: string;
+      groupSearchFilter?: string;
+      caCert?: string;
+    }) => {
+      const { data } = await apiRequest.patch("/api/v1/ldap/config", {
+        organizationId,
+        isActive,
+        url,
+        bindDN,
+        bindPass,
+        searchBase,
+        searchFilter,
+        groupSearchBase,
+        groupSearchFilter,
+        caCert
+      });
+
+      return data;
+    },
+    onSuccess(_, dto) {
+      queryClient.invalidateQueries(ldapConfigKeys.getLDAPConfig(dto.organizationId));
+    }
+  });
+};
+
+export const useCreateLDAPGroupMapping = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({
+      ldapConfigId,
+      ldapGroupCN,
+      groupSlug
+    }: {
+      ldapConfigId: string;
+      ldapGroupCN: string;
+      groupSlug: string;
+    }) => {
+      const { data } = await apiRequest.post(`/api/v1/ldap/config/${ldapConfigId}/group-maps`, {
+        ldapGroupCN,
+        groupSlug
+      });
+      return data;
+    },
+    onSuccess(_, { ldapConfigId }) {
+      queryClient.invalidateQueries(ldapConfigKeys.getLDAPGroupMaps(ldapConfigId));
+    }
+  });
+};
+
+export const useDeleteLDAPGroupMapping = () => {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: async ({
+      ldapConfigId,
+      ldapGroupMapId
+    }: {
+      ldapConfigId: string;
+      ldapGroupMapId: string;
+    }) => {
+      const { data } = await apiRequest.delete(
+        `/api/v1/ldap/config/${ldapConfigId}/group-maps/${ldapGroupMapId}`
+      );
+      return data;
+    },
+    onSuccess(_, { ldapConfigId }) {
+      queryClient.invalidateQueries(ldapConfigKeys.getLDAPGroupMaps(ldapConfigId));
+    }
+  });
+};
+
+export const useTestLDAPConnection = () => {
+  return useMutation({
+    mutationFn: async (ldapConfigId: string) => {
+      const { data } = await apiRequest.post<boolean>(
+        `/api/v1/ldap/config/${ldapConfigId}/test-connection`
+      );
+      return data;
+    }
+  });
+};

frontend/src/hooks/api/ldapConfig/queries.tsx

@@ -1,9 +1,12 @@
-import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { useQuery } from "@tanstack/react-query";
 
 import { apiRequest } from "@app/config/request";
 
-const ldapConfigKeys = {
-  getLDAPConfig: (orgId: string) => [{ orgId }, "organization-ldap"] as const
+import { LDAPGroupMap } from "./types";
+
+export const ldapConfigKeys = {
+  getLDAPConfig: (orgId: string) => [{ orgId }, "organization-ldap"] as const,
+  getLDAPGroupMaps: (ldapConfigId: string) => [{ ldapConfigId }, "ldap-group-maps"] as const
 };
 
 export const useGetLDAPConfig = (organizationId: string) => {
@@ -18,78 +21,18 @@ export const useGetLDAPConfig = (organizationId: string) => {
   });
 };
 
-export const useCreateLDAPConfig = () => {
-  const queryClient = useQueryClient();
-  return useMutation({
-    mutationFn: async ({
-      organizationId,
-      isActive,
-      url,
-      bindDN,
-      bindPass,
-      searchBase,
-      caCert
-    }: {
-      organizationId: string;
-      isActive: boolean;
-      url: string;
-      bindDN: string;
-      bindPass: string;
-      searchBase: string;
-      caCert?: string;
-    }) => {
-      const { data } = await apiRequest.post("/api/v1/ldap/config", {
-        organizationId,
-        isActive,
-        url,
-        bindDN,
-        bindPass,
-        searchBase,
-        caCert
-      });
+export const useGetLDAPGroupMaps = (ldapConfigId: string) => {
+  return useQuery({
+    queryKey: ldapConfigKeys.getLDAPGroupMaps(ldapConfigId),
+    queryFn: async () => {
+      if (!ldapConfigId) return [];
+
+      const { data } = await apiRequest.get<LDAPGroupMap[]>(
+        `/api/v1/ldap/config/${ldapConfigId}/group-maps`
+      );
 
       return data;
     },
-    onSuccess(_, dto) {
-      queryClient.invalidateQueries(ldapConfigKeys.getLDAPConfig(dto.organizationId));
-    }
-  });
-};
-
-export const useUpdateLDAPConfig = () => {
-  const queryClient = useQueryClient();
-  return useMutation({
-    mutationFn: async ({
-      organizationId,
-      isActive,
-      url,
-      bindDN,
-      bindPass,
-      searchBase,
-      caCert
-    }: {
-      organizationId: string;
-      isActive?: boolean;
-      url?: string;
-      bindDN?: string;
-      bindPass?: string;
-      searchBase?: string;
-      caCert?: string;
-    }) => {
-      const { data } = await apiRequest.patch("/api/v1/ldap/config", {
-        organizationId,
-        isActive,
-        url,
-        bindDN,
-        bindPass,
-        searchBase,
-        caCert
-      });
-
-      return data;
-    },
-    onSuccess(_, dto) {
-      queryClient.invalidateQueries(ldapConfigKeys.getLDAPConfig(dto.organizationId));
-    }
+    enabled: true
   });
 };

frontend/src/hooks/api/ldapConfig/types.ts

@@ -0,0 +1,10 @@
+export type LDAPGroupMap = {
+  id: string;
+  ldapConfigId: string;
+  ldapGroupCN: string;
+  group: {
+    id: string;
+    name: string;
+    slug: string;
+  };
+};

frontend/src/views/SecretMainPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -3,7 +3,8 @@ import { zodResolver } from "@hookform/resolvers/zod";
 import { z } from "zod";
 
 import { createNotification } from "@app/components/notifications";
-import { Button, FormControl, Input, Modal, ModalContent, SecretInput } from "@app/components/v2";
+import { Button, FormControl, Input, Modal, ModalContent } from "@app/components/v2";
+import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import { useCreateSecretV3 } from "@app/hooks/api";
 import { UserWsKeyPair } from "@app/hooks/api/types";
 
@@ -44,8 +45,6 @@ export const CreateSecretForm = ({
   const { isOpen } = usePopUpState(PopUpNames.CreateSecretForm);
   const { closePopUp, togglePopUp } = usePopUpAction();
 
-  
-
   const { mutateAsync: createSecretV3 } = useCreateSecretV3();
 
   const handleFormSubmit = async ({ key, value }: TFormSchema) => {
@@ -103,8 +102,10 @@ export const CreateSecretForm = ({
                 isError={Boolean(errors?.value)}
                 errorText={errors?.value?.message}
               >
-                <SecretInput
+                <InfisicalSecretInput
                   {...field}
+                  environment={environment}
+                  secretPath={secretPath}
                   containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5"
                 />
               </FormControl>

frontend/src/views/SecretMainPage/components/SecretListView/SecretDetaiSidebar.tsx

@@ -27,12 +27,12 @@ import {
   FormControl,
   IconButton,
   Input,
-  SecretInput,
   Switch,
   Tag,
   TextArea,
   Tooltip
 } from "@app/components/v2";
+import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import { ProjectPermissionActions, ProjectPermissionSub, useProjectPermission } from "@app/context";
 import { useToggle } from "@app/hooks";
 import { useGetSecretVersion } from "@app/hooks/api";
@@ -71,7 +71,6 @@ export const SecretDetailSidebar = ({
   environment,
   secretPath
 }: Props) => {
-  
   const {
     register,
     control,
@@ -204,8 +203,10 @@ export const SecretDetailSidebar = ({
                     control={control}
                     render={({ field }) => (
                       <FormControl label="Value">
-                        <SecretInput
+                        <InfisicalSecretInput
                           isReadOnly={isReadOnly}
+                          environment={environment}
+                          secretPath={secretPath}
                           key="secret-value"
                           isDisabled={isOverridden || !isAllowed}
                           containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-bunker-800  px-2 py-1.5"
@@ -240,8 +241,10 @@ export const SecretDetailSidebar = ({
                   control={control}
                   render={({ field }) => (
                     <FormControl label="Value Override">
-                      <SecretInput
+                      <InfisicalSecretInput
                         isReadOnly={isReadOnly}
+                        environment={environment}
+                        secretPath={secretPath}
                         containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-bunker-800  px-2 py-1.5"
                         {...field}
                       />

frontend/src/views/SecretMainPage/components/SecretListView/SecretItem.tsx

@@ -14,7 +14,6 @@ import {
   Popover,
   PopoverContent,
   PopoverTrigger,
-  SecretInput,
   Spinner,
   TextArea,
   Tooltip
@@ -49,6 +48,7 @@ import { memo, useEffect } from "react";
 import { Controller, useFieldArray, useForm } from "react-hook-form";
 import { twMerge } from "tailwind-merge";
 
+import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import { CreateReminderForm } from "./CreateReminderForm";
 import { formSchema, SecretActionType, TFormSchema } from "./SecretListView.utils";
 
@@ -263,10 +263,12 @@ export const SecretItem = memo(
                     key="value-overriden"
                     control={control}
                     render={({ field }) => (
-                      <SecretInput
+                      <InfisicalSecretInput
                         key="value-overriden"
                         isVisible={isVisible}
                         isReadOnly={isReadOnly}
+                        environment={environment}
+                        secretPath={secretPath}
                         {...field}
                         containerClassName="py-1.5 rounded-md transition-all group-hover:mr-2"
                       />
@@ -278,10 +280,12 @@ export const SecretItem = memo(
                     key="secret-value"
                     control={control}
                     render={({ field }) => (
-                      <SecretInput
+                      <InfisicalSecretInput
                         isReadOnly={isReadOnly}
                         key="secret-value"
                         isVisible={isVisible}
+                        environment={environment}
+                        secretPath={secretPath}
                         {...field}
                         containerClassName="py-1.5 rounded-md transition-all group-hover:mr-2"
                       />

frontend/src/views/SecretMainPage/components/SnapshotView/SecretItem.tsx

@@ -120,7 +120,9 @@ export const SecretItem = ({ mode, preSecret, postSecret }: Props) => {
                   <Td className="border-r border-mineshaft-600">Value</Td>
                   {isModified && (
                     <Td className="border-r border-mineshaft-600">
-                      <SecretInput value={preSecret?.value} />
+                      <SecretInput
+                        value={preSecret?.value}
+                      />
                     </Td>
                   )}
                   <Td>

frontend/src/views/SecretOverviewPage/components/CreateSecretForm/CreateSecretForm.tsx

@@ -13,9 +13,9 @@ import {
   Input,
   Modal,
   ModalContent,
-  SecretInput,
   Tooltip
 } from "@app/components/v2";
+import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import { useWorkspace } from "@app/context";
 import { useCreateFolder, useCreateSecretV3, useUpdateSecretV3 } from "@app/hooks/api";
 import { DecryptedSecret, UserWsKeyPair } from "@app/hooks/api/types";
@@ -64,8 +64,6 @@ export const CreateSecretForm = ({
   const workspaceId = currentWorkspace?.id || "";
   const environments = currentWorkspace?.environments || [];
 
-  
-
   const { mutateAsync: createSecretV3 } = useCreateSecretV3();
   const { mutateAsync: updateSecretV3 } = useUpdateSecretV3();
   const { mutateAsync: createFolder } = useCreateFolder();
@@ -163,7 +161,7 @@ export const CreateSecretForm = ({
                 isError={Boolean(errors?.value)}
                 errorText={errors?.value?.message}
               >
-                <SecretInput
+                <InfisicalSecretInput
                   {...field}
                   containerClassName="text-bunker-300 hover:border-primary-400/50 border border-mineshaft-600 bg-mineshaft-900 px-2 py-1.5"
                 />

frontend/src/views/SecretOverviewPage/components/SecretOverviewTableRow/SecretEditRow.tsx

@@ -6,7 +6,8 @@ import { twMerge } from "tailwind-merge";
 
 import { createNotification } from "@app/components/notifications";
 import { ProjectPermissionCan } from "@app/components/permissions";
-import { IconButton, SecretInput, Tooltip } from "@app/components/v2";
+import { IconButton, Tooltip } from "@app/components/v2";
+import { InfisicalSecretInput } from "@app/components/v2/InfisicalSecretInput";
 import { ProjectPermissionActions, ProjectPermissionSub } from "@app/context";
 import { useToggle } from "@app/hooks";
 
@@ -49,7 +50,6 @@ export const SecretEditRow = ({
     }
   });
   const [isDeleting, setIsDeleting] = useToggle();
-  
 
   const handleFormReset = () => {
     reset();
@@ -97,10 +97,13 @@ export const SecretEditRow = ({
           control={control}
           name="value"
           render={({ field }) => (
-            <SecretInput
+            <InfisicalSecretInput
               {...field}
               value={field.value as string}
+              key="secret-input"
               isVisible={isVisible}
+              secretPath={secretPath}
+              environment={environment}
               isImport={isImportedSecret}
             />
           )}

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/LDAPGroupMapModal.tsx

@@ -0,0 +1,256 @@
+import { Controller, useForm } from "react-hook-form";
+import { faUsers, faXmark } from "@fortawesome/free-solid-svg-icons";
+import { FontAwesomeIcon } from "@fortawesome/react-fontawesome";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { z } from "zod";
+
+import { createNotification } from "@app/components/notifications";
+import {
+  Button,
+  DeleteActionModal,
+  EmptyState,
+  FormControl,
+  IconButton,
+  Input,
+  Modal,
+  ModalContent,
+  Select,
+  SelectItem,
+  Table,
+  TableContainer,
+  TableSkeleton,
+  TBody,
+  Td,
+  Th,
+  THead,
+  Tr
+} from "@app/components/v2";
+import { useOrganization } from "@app/context";
+import {
+  useCreateLDAPGroupMapping,
+  useDeleteLDAPGroupMapping,
+  useGetLDAPConfig,
+  useGetLDAPGroupMaps,
+  useGetOrganizationGroups
+} from "@app/hooks/api";
+import { UsePopUpState } from "@app/hooks/usePopUp";
+
+const schema = z.object({
+  ldapGroupCN: z.string().min(1, "LDAP Group CN is required"),
+  groupSlug: z.string().min(1, "Group Slug is required")
+});
+
+export type TFormData = z.infer<typeof schema>;
+
+type Props = {
+  popUp: UsePopUpState<["ldapGroupMap", "deleteLdapGroupMap"]>;
+  handlePopUpOpen: (
+    popUpName: keyof UsePopUpState<["deleteLdapGroupMap"]>,
+    data?: {
+      ldapGroupMapId: string;
+      ldapGroupCN: string;
+    }
+  ) => void;
+  handlePopUpToggle: (
+    popUpName: keyof UsePopUpState<["ldapGroupMap", "deleteLdapGroupMap"]>,
+    state?: boolean
+  ) => void;
+};
+
+export const LDAPGroupMapModal = ({ popUp, handlePopUpOpen, handlePopUpToggle }: Props) => {
+  const { currentOrg } = useOrganization();
+
+  const { data: ldapConfig } = useGetLDAPConfig(currentOrg?.id ?? "");
+  const { data: groups } = useGetOrganizationGroups(currentOrg?.id ?? "");
+  const { data: groupMaps, isLoading } = useGetLDAPGroupMaps(ldapConfig?.id ?? "");
+  const { mutateAsync: createLDAPGroupMapping, isLoading: createIsLoading } =
+    useCreateLDAPGroupMapping();
+  const { mutateAsync: deleteLDAPGroupMapping } = useDeleteLDAPGroupMapping();
+
+  const { control, handleSubmit, reset } = useForm<TFormData>({
+    resolver: zodResolver(schema),
+    defaultValues: {
+      ldapGroupCN: "",
+      groupSlug: ""
+    }
+  });
+
+  const onFormSubmit = async ({ groupSlug, ldapGroupCN }: TFormData) => {
+    try {
+      if (!ldapConfig) return;
+
+      await createLDAPGroupMapping({
+        ldapConfigId: ldapConfig.id,
+        groupSlug,
+        ldapGroupCN
+      });
+
+      reset();
+
+      createNotification({
+        text: `Successfully added LDAP group mapping for ${ldapGroupCN}`,
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: `Failed to add LDAP group mapping for ${ldapGroupCN}`,
+        type: "error"
+      });
+    }
+  };
+
+  const onDeleteGroupMapSubmit = async ({
+    ldapConfigId,
+    ldapGroupMapId,
+    ldapGroupCN
+  }: {
+    ldapConfigId: string;
+    ldapGroupMapId: string;
+    ldapGroupCN: string;
+  }) => {
+    try {
+      await deleteLDAPGroupMapping({
+        ldapConfigId,
+        ldapGroupMapId
+      });
+
+      handlePopUpToggle("deleteLdapGroupMap", false);
+
+      createNotification({
+        text: `Successfully deleted LDAP group mapping ${ldapGroupCN}`,
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: `Failed to delete LDAP group mapping ${ldapGroupCN}`,
+        type: "error"
+      });
+    }
+  };
+
+  return (
+    <Modal
+      isOpen={popUp?.ldapGroupMap?.isOpen}
+      onOpenChange={(isOpen) => {
+        handlePopUpToggle("ldapGroupMap", isOpen);
+        reset();
+      }}
+    >
+      <ModalContent title="Manage LDAP Group Mappings">
+        <h2 className="mb-4">New Group Mapping</h2>
+        <form onSubmit={handleSubmit(onFormSubmit)} className="mb-8">
+          <div className="flex">
+            <Controller
+              control={control}
+              name="ldapGroupCN"
+              render={({ field, fieldState: { error } }) => (
+                <FormControl
+                  label="LDAP Group CN"
+                  errorText={error?.message}
+                  isError={Boolean(error)}
+                >
+                  <Input {...field} placeholder="Engineering" />
+                </FormControl>
+              )}
+            />
+            <Controller
+              control={control}
+              name="groupSlug"
+              defaultValue=""
+              render={({ field: { onChange, ...field }, fieldState: { error } }) => (
+                <FormControl
+                  label="Infisical Group"
+                  errorText={error?.message}
+                  isError={Boolean(error)}
+                  className="ml-4 w-full"
+                >
+                  <div className="flex">
+                    <Select
+                      defaultValue={field.value}
+                      {...field}
+                      onValueChange={(e) => onChange(e)}
+                      className="w-full"
+                    >
+                      {(groups || []).map(({ name, id, slug }) => (
+                        <SelectItem value={slug} key={`internal-group-${id}`}>
+                          {name}
+                        </SelectItem>
+                      ))}
+                    </Select>
+                    <Button className="ml-4" size="sm" type="submit" isLoading={createIsLoading}>
+                      Add mapping
+                    </Button>
+                  </div>
+                </FormControl>
+              )}
+            />
+          </div>
+        </form>
+        <h2 className="mb-4">Group Mappings</h2>
+        <TableContainer>
+          <Table>
+            <THead>
+              <Tr>
+                <Th>LDAP Group CN</Th>
+                <Th>Infisical Group</Th>
+                <Th className="w-5" />
+              </Tr>
+            </THead>
+            <TBody>
+              {isLoading && <TableSkeleton columns={3} innerKey="ldap-group-maps" />}
+              {!isLoading &&
+                groupMaps?.map(({ id, ldapGroupCN, group }) => {
+                  return (
+                    <Tr className="h-10 items-center" key={`ldap-group-map-${id}`}>
+                      <Td>{ldapGroupCN}</Td>
+                      <Td>{group.name}</Td>
+                      <Td>
+                        <IconButton
+                          onClick={() => {
+                            handlePopUpOpen("deleteLdapGroupMap", {
+                              ldapGroupMapId: id,
+                              ldapGroupCN
+                            });
+                          }}
+                          size="lg"
+                          colorSchema="danger"
+                          variant="plain"
+                          ariaLabel="update"
+                        >
+                          <FontAwesomeIcon icon={faXmark} />
+                        </IconButton>
+                      </Td>
+                    </Tr>
+                  );
+                })}
+            </TBody>
+          </Table>
+          {groupMaps?.length === 0 && (
+            <EmptyState title="No LDAP group mappings found" icon={faUsers} />
+          )}
+        </TableContainer>
+        <DeleteActionModal
+          isOpen={popUp.deleteLdapGroupMap.isOpen}
+          title={`Are you sure want to delete the group mapping for ${
+            (popUp?.deleteLdapGroupMap?.data as { ldapGroupCN: string })?.ldapGroupCN || ""
+          }?`}
+          onChange={(isOpen) => handlePopUpToggle("deleteLdapGroupMap", isOpen)}
+          deleteKey="confirm"
+          onDeleteApproved={() => {
+            const deleteLdapGroupMapData = popUp?.deleteLdapGroupMap?.data as {
+              ldapGroupMapId: string;
+              ldapGroupCN: string;
+            };
+            return onDeleteGroupMapSubmit({
+              ldapConfigId: ldapConfig?.id ?? "",
+              ldapGroupMapId: deleteLdapGroupMapData.ldapGroupMapId,
+              ldapGroupCN: deleteLdapGroupMapData.ldapGroupCN
+            });
+          }}
+        />
+      </ModalContent>
+    </Modal>
+  );
+};

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/LDAPModal.tsx

@@ -6,7 +6,12 @@ import { z } from "zod";
 import { createNotification } from "@app/components/notifications";
 import { Button, FormControl, Input, Modal, ModalContent, TextArea } from "@app/components/v2";
 import { useOrganization } from "@app/context";
-import { useCreateLDAPConfig, useGetLDAPConfig, useUpdateLDAPConfig } from "@app/hooks/api";
+import {
+  useCreateLDAPConfig,
+  useGetLDAPConfig,
+  useTestLDAPConnection,
+  useUpdateLDAPConfig
+} from "@app/hooks/api";
 import { UsePopUpState } from "@app/hooks/usePopUp";
 
 const LDAPFormSchema = z.object({
@@ -14,6 +19,9 @@ const LDAPFormSchema = z.object({
   bindDN: z.string().default(""),
   bindPass: z.string().default(""),
   searchBase: z.string().default(""),
+  searchFilter: z.string().default(""),
+  groupSearchBase: z.string().default(""),
+  groupSearchFilter: z.string().default(""),
   caCert: z.string().optional()
 });
 
@@ -27,15 +35,25 @@ type Props = {
 
 export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props) => {
   const { currentOrg } = useOrganization();
-  
+
   const { mutateAsync: createMutateAsync, isLoading: createIsLoading } = useCreateLDAPConfig();
   const { mutateAsync: updateMutateAsync, isLoading: updateIsLoading } = useUpdateLDAPConfig();
+  const { mutateAsync: testLDAPConnection } = useTestLDAPConnection();
   const { data } = useGetLDAPConfig(currentOrg?.id ?? "");
 
-  const { control, handleSubmit, reset } = useForm<TLDAPFormData>({
+  const { control, handleSubmit, reset, watch } = useForm<TLDAPFormData>({
     resolver: zodResolver(LDAPFormSchema)
   });
 
+  const watchUrl = watch("url");
+  const watchBindDN = watch("bindDN");
+  const watchBindPass = watch("bindPass");
+  const watchSearchBase = watch("searchBase");
+  const watchSearchFilter = watch("searchFilter");
+  const watchGroupSearchBase = watch("groupSearchBase");
+  const watchGroupSearchFilter = watch("groupSearchFilter");
+  const watchCaCert = watch("caCert");
+
   useEffect(() => {
     if (data) {
       reset({
@@ -43,12 +61,25 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
         bindDN: data?.bindDN ?? "",
         bindPass: data?.bindPass ?? "",
         searchBase: data?.searchBase ?? "",
+        searchFilter: data?.searchFilter ?? "",
+        groupSearchBase: data?.groupSearchBase ?? "",
+        groupSearchFilter: data?.groupSearchFilter ?? "",
         caCert: data?.caCert ?? ""
       });
     }
   }, [data]);
 
-  const onSSOModalSubmit = async ({ url, bindDN, bindPass, searchBase, caCert }: TLDAPFormData) => {
+  const onSSOModalSubmit = async ({
+    url,
+    bindDN,
+    bindPass,
+    searchBase,
+    searchFilter,
+    groupSearchBase,
+    groupSearchFilter,
+    caCert,
+    shouldCloseModal = true
+  }: TLDAPFormData & { shouldCloseModal?: boolean }) => {
     try {
       if (!currentOrg) return;
 
@@ -60,6 +91,9 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
           bindDN,
           bindPass,
           searchBase,
+          searchFilter,
+          groupSearchBase,
+          groupSearchFilter,
           caCert
         });
       } else {
@@ -70,11 +104,16 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
           bindDN,
           bindPass,
           searchBase,
+          searchFilter,
+          groupSearchBase,
+          groupSearchFilter,
           caCert
         });
       }
 
-      handlePopUpClose("addLDAP");
+      if (shouldCloseModal) {
+        handlePopUpClose("addLDAP");
+      }
 
       createNotification({
         text: `Successfully ${!data ? "added" : "updated"} LDAP configuration`,
@@ -89,6 +128,45 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
     }
   };
 
+  const handleTestLDAPConnection = async () => {
+    try {
+      await onSSOModalSubmit({
+        url: watchUrl,
+        bindDN: watchBindDN,
+        bindPass: watchBindPass,
+        searchBase: watchSearchBase,
+        searchFilter: watchSearchFilter,
+        groupSearchBase: watchGroupSearchBase,
+        groupSearchFilter: watchGroupSearchFilter,
+        caCert: watchCaCert,
+        shouldCloseModal: false
+      });
+
+      if (!data) return;
+
+      const result = await testLDAPConnection(data.id);
+
+      if (!result) {
+        createNotification({
+          text: "Failed to test the LDAP connection: Bind operation was unsuccessful",
+          type: "error"
+        });
+        return;
+      }
+
+      createNotification({
+        text: "Successfully tested the LDAP connection: Bind operation was successful",
+        type: "success"
+      });
+    } catch (err) {
+      console.error(err);
+      createNotification({
+        text: "Failed to test the LDAP connection",
+        type: "error"
+      });
+    }
+  };
+
   return (
     <Modal
       isOpen={popUp?.addLDAP?.isOpen}
@@ -131,7 +209,7 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
             name="searchBase"
             render={({ field, fieldState: { error } }) => (
               <FormControl
-                label="Search Base / User DN"
+                label="User Search Base / User DN"
                 errorText={error?.message}
                 isError={Boolean(error)}
               >
@@ -139,6 +217,48 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
               </FormControl>
             )}
           />
+          <Controller
+            control={control}
+            name="searchFilter"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="User Search Filter (Optional)"
+                errorText={error?.message}
+                isError={Boolean(error)}
+              >
+                <Input {...field} placeholder="(uid={{username}})" />
+              </FormControl>
+            )}
+          />
+          <Controller
+            control={control}
+            name="groupSearchBase"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Group Search Base / Group DN (Optional)"
+                errorText={error?.message}
+                isError={Boolean(error)}
+              >
+                <Input {...field} placeholder="ou=groups,dc=acme,dc=com" />
+              </FormControl>
+            )}
+          />
+          <Controller
+            control={control}
+            name="groupSearchFilter"
+            render={({ field, fieldState: { error } }) => (
+              <FormControl
+                label="Group Filter (Optional)"
+                errorText={error?.message}
+                isError={Boolean(error)}
+              >
+                <Input
+                  {...field}
+                  placeholder="(&(objectClass=posixGroup)(memberUid={{.Username}}))"
+                />
+              </FormControl>
+            )}
+          />
           <Controller
             control={control}
             name="caCert"
@@ -161,12 +281,8 @@ export const LDAPModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props)
             >
               {!data ? "Add" : "Update"}
             </Button>
-            <Button
-              colorSchema="secondary"
-              variant="plain"
-              onClick={() => handlePopUpClose("addLDAP")}
-            >
-              Cancel
+            <Button colorSchema="secondary" onClick={handleTestLDAPConnection}>
+              Test Connection
             </Button>
           </div>
         </form>

frontend/src/views/Settings/OrgSettingsPage/components/OrgAuthTab/OrgLDAPSection.tsx

@@ -10,16 +10,20 @@ import {
 import { useCreateLDAPConfig, useGetLDAPConfig, useUpdateLDAPConfig } from "@app/hooks/api";
 import { usePopUp } from "@app/hooks/usePopUp";
 
+import { LDAPGroupMapModal } from "./LDAPGroupMapModal";
 import { LDAPModal } from "./LDAPModal";
 
 export const OrgLDAPSection = (): JSX.Element => {
   const { currentOrg } = useOrganization();
   const { subscription } = useSubscription();
-  
+
   const { data } = useGetLDAPConfig(currentOrg?.id ?? "");
+
   const { mutateAsync } = useUpdateLDAPConfig();
   const { popUp, handlePopUpOpen, handlePopUpClose, handlePopUpToggle } = usePopUp([
     "addLDAP",
+    "ldapGroupMap",
+    "deleteLdapGroupMap",
     "upgradePlan"
   ] as const);
 
@@ -63,7 +67,10 @@ export const OrgLDAPSection = (): JSX.Element => {
             url: "",
             bindDN: "",
             bindPass: "",
-            searchBase: ""
+            searchBase: "",
+            searchFilter: "",
+            groupSearchBase: "",
+            groupSearchFilter: ""
           });
         }
 
@@ -76,21 +83,51 @@ export const OrgLDAPSection = (): JSX.Element => {
     }
   };
 
+  const openLDAPGroupMapModal = () => {
+    if (!subscription?.ldap) {
+      handlePopUpOpen("upgradePlan");
+      return;
+    }
+
+    handlePopUpOpen("ldapGroupMap");
+  };
+
   return (
     <>
       <hr className="border-mineshaft-600" />
       <div className="py-4">
         <div className="mb-2 flex items-center justify-between">
           <h2 className="text-md text-mineshaft-100">LDAP</h2>
+          <div className="flex">
+            <OrgPermissionCan I={OrgPermissionActions.Create} a={OrgPermissionSubjects.Ldap}>
+              {(isAllowed) => (
+                <Button onClick={addLDAPBtnClick} colorSchema="secondary" isDisabled={!isAllowed}>
+                  Manage
+                </Button>
+              )}
+            </OrgPermissionCan>
+          </div>
+        </div>
+        <p className="text-sm text-mineshaft-300">Manage LDAP authentication configuration</p>
+      </div>
+      <div className="py-4">
+        <div className="mb-2 flex items-center justify-between">
+          <h2 className="text-md text-mineshaft-100">LDAP Group Mappings</h2>
           <OrgPermissionCan I={OrgPermissionActions.Create} a={OrgPermissionSubjects.Ldap}>
             {(isAllowed) => (
-              <Button onClick={addLDAPBtnClick} colorSchema="secondary" isDisabled={!isAllowed}>
+              <Button
+                onClick={openLDAPGroupMapModal}
+                colorSchema="secondary"
+                isDisabled={!isAllowed}
+              >
                 Manage
               </Button>
             )}
           </OrgPermissionCan>
         </div>
-        <p className="text-sm text-mineshaft-300">Manage LDAP authentication configuration</p>
+        <p className="text-sm text-mineshaft-300">
+          Manage how LDAP groups are mapped to internal groups in Infisical
+        </p>
       </div>
       {data && (
         <div className="py-4">
@@ -119,6 +156,11 @@ export const OrgLDAPSection = (): JSX.Element => {
         handlePopUpClose={handlePopUpClose}
         handlePopUpToggle={handlePopUpToggle}
       />
+      <LDAPGroupMapModal
+        popUp={popUp}
+        handlePopUpOpen={handlePopUpOpen}
+        handlePopUpToggle={handlePopUpToggle}
+      />
       <UpgradePlanModal
         isOpen={popUp.upgradePlan.isOpen}
         onOpenChange={(isOpen) => handlePopUpToggle("upgradePlan", isOpen)}

frontend/src/views/Settings/ProjectSettingsPage/components/EnvironmentSection/AddEnvironmentModal.tsx

@@ -1,5 +1,6 @@
 import { Controller, useForm } from "react-hook-form";
 import { yupResolver } from "@hookform/resolvers/yup";
+import slugify from "@sindresorhus/slugify";
 import * as yup from "yup";
 
 import { createNotification } from "@app/components/notifications";
@@ -16,7 +17,14 @@ type Props = {
 
 const schema = yup.object({
   environmentName: yup.string().label("Environment Name").required(),
-  environmentSlug: yup.string().label("Environment Slug").required()
+  environmentSlug: yup
+    .string()
+    .label("Environment Slug")
+    .test({
+      test: (slug) => slugify(slug as string) === slug,
+      message: "Slug must be a valid slug"
+    })
+    .required()
 });
 
 export type FormData = yup.InferType<typeof schema>;

frontend/src/views/Settings/ProjectSettingsPage/components/EnvironmentSection/UpdateEnvironmentModal.tsx

@@ -1,5 +1,6 @@
 import { Controller, useForm } from "react-hook-form";
 import { yupResolver } from "@hookform/resolvers/yup";
+import slugify from "@sindresorhus/slugify";
 import * as yup from "yup";
 
 import { createNotification } from "@app/components/notifications";
@@ -16,13 +17,19 @@ type Props = {
 
 const schema = yup.object({
   name: yup.string().label("Environment Name").required(),
-  slug: yup.string().label("Environment Slug").required()
+  slug: yup
+    .string()
+    .label("Environment Slug")
+    .test({
+      test: (slug) => slugify(slug as string) === slug,
+      message: "Slug must be a valid slug"
+    })
+    .required()
 });
 
 export type FormData = yup.InferType<typeof schema>;
 
 export const UpdateEnvironmentModal = ({ popUp, handlePopUpClose, handlePopUpToggle }: Props) => {
-  
   const { currentWorkspace } = useWorkspace();
   const { mutateAsync, isLoading } = useUpdateWsEnvironment();
   const { control, handleSubmit, reset } = useForm<FormData>({
@@ -108,7 +115,11 @@ export const UpdateEnvironmentModal = ({ popUp, handlePopUpClose, handlePopUpTog
               Update
             </Button>
 
-            <Button onClick={() => handlePopUpClose("updateEnv")} colorSchema="secondary" variant="plain">
+            <Button
+              onClick={() => handlePopUpClose("updateEnv")}
+              colorSchema="secondary"
+              variant="plain"
+            >
               Cancel
             </Button>
           </div>