fix: use correct property for LDAP modify operation type

[devin-ai-integration]

Context

The ldif npm parser stores the modify operation (add/delete/replace) in change.type, but the code was reading change.operation — which is always undefined. This caused the fallback to "replace" for all modify operations.

Impact:

• add: member in LDIF was silently sent as replace, overwriting all existing group members instead of adding one
• delete: member in LDIF was silently sent as replace, overwriting all group members instead of removing one
• replace: userPassword happened to work correctly by accident (the fallback matched the intended operation)

This bug affects any LDAP dynamic secret using changetype: modify with add: or delete: operations — including the Active Directory group membership example in Infisical's own LDAP docs. It is also a blocker for IBM DB2 dynamic secrets via LDAP, which require adding/removing users from LDAP groups.

No existing working configurations are broken by this fix. Users relying on replace: operations (e.g., static credential rotation) are unaffected since the fallback already matched.

Steps to verify the change

1. Confirm the ldif npm package uses change.type (not change.operation) for modify operations:

   const ldif = require('ldif');
   const parsed = ldif.parse(`dn: cn=test,dc=example,dc=com\nchangetype: modify\nadd: member\nmember: uid=user\n-\n`);
   console.log(parsed.entries[0].changes[0].type);       // "add"
   console.log(parsed.entries[0].changes[0].operation);   // undefined

2. Set up an LDAP dynamic secret with a Creation LDIF that uses changetype: modify + add: member (e.g., the AD example from docs)
3. Generate a lease and verify the user is added to the group (not replacing all members)

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format
• Tested locally (verified parser output; no integration test against a live LDAP server)
• Updated docs (if needed)
• Read the contributing guide

Human review notes

• The fix is a two-line change: updating the TEntry type and the property access from change.operation to change.type
• Key thing to verify: confirm that the ldif npm package (the version used in this repo) indeed uses type and not operation on parsed change objects
• No risk to existing replace: workflows — the fallback || "replace" still applies if change.type were ever undefined

Link to Devin session: https://app.devin.ai/sessions/54d3af210fc54c1a957018979fa8abc5
Requested by: ashwin (ashwin@infisical.com)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR fixes a property name bug in the LDAP dynamic secret provider where change.operation was read instead of change.type when constructing ldapjs.Change objects for LDIF changetype: modify operations. Because change.operation is always undefined on objects parsed by the ldif v0.5.1 package, all modify operations silently fell back to "replace", causing add: and delete: operations to overwrite group memberships instead of incrementally adding or removing them.

Key changes:

• Updated the TEntry.changes TypeScript inline type from operation?: string to type?: string, matching the actual shape of objects returned by ldif.parse().
• Changed the property access from change.operation || "replace" to change.type || "replace" so the correct modify operation is forwarded to ldapjs.Change.
• No functional change to replace: operations — the fallback || "replace" still applies and existing static credential rotation workflows are unaffected.

Confidence Score: 5/5

• This PR is safe to merge — it is a minimal, targeted bug fix with no new attack surfaces, no breaking changes, and no side-effects on existing working configurations.
• The change is two lines, directly fixes a well-documented mismatch between the ldif parser's output shape and the property being read, introduces no new logic or inputs, and carries no risk for callers relying on the replace fallback path.
• No files require special attention.

_{Last reviewed commit: 1295f6b}