Merge pull request #16379 from azmcnutt/feature/settings_ldap_invert_active_flag

Feature/settings ldap invert active flag

Author: snipe

app/Console/Commands/LdapSync.php

@@ -361,9 +361,15 @@ public function handle()
                 // (Specifically, we don't handle a value of '0.0' correctly)
                 $raw_value = @$results[$i][$ldap_map["active_flag"]][0];
                 $filter_var = filter_var($raw_value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
+                
                 $boolean_cast = (bool) $raw_value;
-
-                $user->activated = $filter_var ?? $boolean_cast; // if filter_var() was true or false, use that. If it's null, use the $boolean_cast
+                
+                if (Setting::getSettings()->ldap_invert_active_flag === 1) {
+                    // Because ldap_active_flag is set, if filter_var is true or boolean_cast is true, then user is suspended
+                    $user->activated = !($filter_var ?? $boolean_cast);
+                }else{
+                    $user->activated = $filter_var ?? $boolean_cast; // if filter_var() was true or false, use that. If it's null, use the $boolean_cast
+                }
 
             } elseif (array_key_exists('useraccountcontrol', $results[$i])) {
                 // ....otherwise, (ie if no 'active' LDAP flag is defined), IF the UAC setting exists,

app/Http/Controllers/SettingsController.php

@@ -851,6 +851,7 @@ public function postLdapSettings(StoreLdapSettings $request) : RedirectResponse
             $setting->ldap_auth_filter_query = $request->input('ldap_auth_filter_query');
             $setting->ldap_version = $request->input('ldap_version', 3);
             $setting->ldap_active_flag = $request->input('ldap_active_flag');
+            $setting->ldap_invert_active_flag = $request->input('ldap_invert_active_flag');
             $setting->ldap_emp_num = $request->input('ldap_emp_num');
             $setting->ldap_email = $request->input('ldap_email');
             $setting->ldap_manager = $request->input('ldap_manager');

database/migrations/2025_02_26_153413_add_ldap_invert_active_flag_to_setting_table.php

@@ -0,0 +1,28 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('settings', function (Blueprint $table) {
+            $table->boolean('ldap_invert_active_flag')->default(false);
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('settings', function (Blueprint $table) {
+            $table->dropColumn('ldap_invert_active_flag');
+        });
+    }
+};

resources/lang/en-US/admin/settings/general.php

@@ -118,6 +118,8 @@
     'ldap_version'              => 'LDAP Version',
     'ldap_active_flag'          => 'LDAP Active Flag',
     'ldap_activated_flag_help'  => 'This value is used to determine whether a synced user can login to Snipe-IT. <strong>It does not affect the ability to check items in or out to them</strong>, and should be the <strong>attribute name</strong> within your AD/LDAP, <strong>not the value</strong>. <br><br>If this field is set to a field name that does not exist in your AD/LDAP, or the value in the AD/LDAP field is set to <code>0</code> or <code>false</code>, <strong>user login will be disabled</strong>. If the value in the AD/LDAP field is set to <code>1</code> or <code>true</code> or <em>any other text</em> means the user can log in. When the field is blank in your AD, we respect the <code>userAccountControl</code> attribute, which usually allows non-suspended users to log in.',
+    'ldap_invert_active_flag'   => 'LDAP Invert Active Flag',
+    'ldap_invert_active_flag_help'     => 'If enabled: when the value returned by LDAP Active Flag is <code>0</code> or <code>false</code> the user account will be active.',
     'ldap_emp_num'              => 'LDAP Employee Number',
     'ldap_email'                => 'LDAP Email',
     'ldap_test'                 => 'Test LDAP',

resources/views/settings/ldap.blade.php

@@ -554,6 +554,32 @@
                             </div>
                         </div>
 
+                        <!-- LDAP invert active flag -->
+                        <div class="form-group">
+                            <div class="col-md-3">
+                                {{ Form::label('ldap_invert_active_flag', trans('admin/settings/general.ldap_invert_active_flag')) }}
+                            </div>
+                            <div class="col-md-8">
+                                <label class="form-control">
+                                    <input type="checkbox" name="ldap_invert_active_flag" value="1" id="ldap_invert_active_flag" @checked(old('ldap_invert_active_flag', $setting->ldap_invert_active_flag)) />
+                                    <p class="help-block">{!! trans('admin/settings/general.ldap_invert_active_flag_help') !!}</p>
+                                </label>
+                                @error('ldap_invert_active_flag')
+                                    <span class="alert-msg">
+                                         <x-icon type="x" />
+                                        {{ $message }}
+                                    </span>
+                                @enderror
+
+                                @if (config('app.lock_passwords')===true)
+                                    <p class="text-warning">
+                                        <x-icon type="locked" />
+                                        {{ trans('general.feature_disabled') }}
+                                    </p>
+                                @endif
+                            </div>
+                        </div>
+
                         <!-- LDAP emp number -->
                         <div class="form-group {{ $errors->has('ldap_emp_num') ? 'error' : '' }}">
                             <div class="col-md-3">