LDAP: Issues with admin filter

Hi,
im currently playing arround with a ldap setup for my gitea instance.
Or more like im setting up ldap to synchronize the authantication between several services im hosting so users dont have to remember 5 different usernames/password.

I could easly get authentication working with both ldap methods but i cant get the admin filter working correctly.

I have two groups on my ldap server:

cn=gitea,ou=groups,dc=example,dc=com
cn=gitea_admin,ou=groups,dc=example,dc=com

my main user filter is the following:

(&(objectClass=posixAccount)(uid=%s)(memberOf=cn=gitea,ou=groups,dc=example,dc=com))

This works fine and only users which are a member of the gitea group can authenticate.

Tried the same for my admin filter:

(&(objectClass=posixAccount)(uid=%s)(memberOf=cn=gitea_admin,ou=groups,dc=example,dc=com))

But this fails, i can see why in my ldap server logs. The admin filter wont substitute the %s with the correct username so this search turns up empty. I also tried only filtering by memberOf:

(memberOf=cn=gitea_admin,ou=groups,dc=example,dc=com)

But this results in every user getting admin previlges… :stuck_out_tongue:
its seems like its just searching for this filter on the ldap server and doesnt care to which user this applies.

Any idea how to fix this or is it a bug that the substitution isnt working?
I can live without setting admin previlges using an ldap group as i always could set this using the gitea ui if i ever need it, still wondering whats the issue…