diff --git a/app/Console/Commands/LdapSync.php b/app/Console/Commands/LdapSync.php index d80e67284..cbd98727e 100755 --- a/app/Console/Commands/LdapSync.php +++ b/app/Console/Commands/LdapSync.php @@ -49,7 +49,7 @@ class LdapSync extends Command $ldap_result_last_name = Setting::getSettings()->ldap_lname_field; $ldap_result_first_name = Setting::getSettings()->ldap_fname_field; - $ldap_result_active_flag = Setting::getSettings()->ldap_active_flag_field; + $ldap_result_active_flag = Setting::getSettings()->ldap_active_flag; $ldap_result_emp_num = Setting::getSettings()->ldap_emp_num; $ldap_result_email = Setting::getSettings()->ldap_email; $ldap_result_phone = Setting::getSettings()->ldap_phone_field; @@ -170,7 +170,6 @@ class LdapSync extends Command $pass = bcrypt($tmp_pass); for ($i = 0; $i < $results["count"]; $i++) { - if (empty($ldap_result_active_flag) || $results[$i][$ldap_result_active_flag][0] == "TRUE") { $item = array(); $item["username"] = isset($results[$i][$ldap_result_username][0]) ? $results[$i][$ldap_result_username][0] : ""; @@ -192,6 +191,7 @@ class LdapSync extends Command $user = User::where('username', $item["username"])->first(); + if ($user) { // Updating an existing user. $item["createorupdate"] = 'updated'; @@ -199,7 +199,7 @@ class LdapSync extends Command // Creating a new user. $user = new User; $user->password = $pass; - $user->activated = 0; + $user->activated = 1; // newly created users can log in by default, unless AD's UAC is in use, or an active flag is set (below) $item["createorupdate"] = 'created'; } @@ -213,8 +213,19 @@ class LdapSync extends Command $user->country = $item["country"]; $user->department_id = $department->id; - // Sync activated state for Active Directory. - if ( array_key_exists('useraccountcontrol', $results[$i]) ) { + if ( !empty($ldap_result_active_flag)) { // IF we have an 'active' flag set.... + // ....then *most* things that are truthy will activate the user. Anything falsey will deactivate them. + // (Specifically, we don't handle a value of '0.0' correctly) + $raw_value = @$results[$i][$ldap_result_active_flag][0]; + $filter_var = filter_var($raw_value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); + $boolean_cast = (bool)$raw_value; + + $user->activated = $filter_var ?? $boolean_cast; // if filter_var() was true or false, use that. If it's null, use the $boolean_cast + + } elseif ( array_key_exists('useraccountcontrol', $results[$i]) ) { + // ....otherwise, (ie if no 'active' LDAP flag is defined), IF the UAC setting exists, + // ....then use the UAC setting on the account to determine can-log-in vs. cannot-log-in + /* The following is _probably_ the correct logic, but we can't use it because some users may have been dependent upon the previous behavior, and this could cause additional access to be available to users they don't want @@ -245,12 +256,9 @@ class LdapSync extends Command '1049088',// 0x100200 NORMAL_ACCOUNT, NOT_DELEGATED ]; $user->activated = ( in_array($results[$i]['useraccountcontrol'][0], $enabled_accounts) ) ? 1 : 0; - } - // If we're not using AD, and there isn't an activated flag set, activate all users - elseif (empty($ldap_result_active_flag)) { - $user->activated = 1; - } + } /* implied 'else' here - leave the $user->activated flag alone. Newly-created accounts will be active. + already-existing accounts will be however the administrator has set them */ if ($item['ldap_location_override'] == true) { $user->location_id = $item['location_id']; @@ -280,7 +288,6 @@ class LdapSync extends Command } array_push($summary, $item); - } } diff --git a/database/migrations/2015_11_08_222305_add_ldap_fields_to_settings.php b/database/migrations/2015_11_08_222305_add_ldap_fields_to_settings.php index a293b4352..f117dc2f7 100644 --- a/database/migrations/2015_11_08_222305_add_ldap_fields_to_settings.php +++ b/database/migrations/2015_11_08_222305_add_ldap_fields_to_settings.php @@ -23,7 +23,7 @@ class AddLdapFieldsToSettings extends Migration { $table->string('ldap_username_field')->nullable()->default('samaccountname'); $table->string('ldap_lname_field')->nullable()->default('sn'); $table->string('ldap_fname_field')->nullable()->default('givenname'); - $table->string('ldap_auth_filter_query')->nullable()->default('uid=samaccountname'); + $table->string('ldap_auth_filter_query')->nullable()->default('uid='); $table->integer('ldap_version')->nullable()->default(3); $table->string('ldap_active_flag')->nullable()->default(NULL); $table->string('ldap_emp_num')->nullable()->default(NULL); diff --git a/database/migrations/2022_02_03_214958_blank_out_ldap_active_flag.php b/database/migrations/2022_02_03_214958_blank_out_ldap_active_flag.php new file mode 100644 index 000000000..db0f5bf80 --- /dev/null +++ b/database/migrations/2022_02_03_214958_blank_out_ldap_active_flag.php @@ -0,0 +1,31 @@ +ldap_active_flag = ''; + $s->save(); + } + + /** + * Reverse the migrations. + * + * @return void + */ + public function down() + { + // + } +}