From 4facc4007e56924429097b0840ea0acd0bbcd1fa Mon Sep 17 00:00:00 2001
From: setpill <37372069+setpill@users.noreply.github.com>
Date: Fri, 13 Sep 2024 17:05:48 +0200
Subject: [PATCH] feat: Explicitly request LDAP attributes during sync

---
 app/Console/Commands/LdapSync.php | 15 +++++++++++----
 app/Models/Ldap.php               |  7 ++++---
 2 files changed, 15 insertions(+), 7 deletions(-)
 mode change 100755 => 100644 app/Console/Commands/LdapSync.php

diff --git a/app/Console/Commands/LdapSync.php b/app/Console/Commands/LdapSync.php
old mode 100755
new mode 100644
index 0027640a10..62fda07892
--- a/app/Console/Commands/LdapSync.php
+++ b/app/Console/Commands/LdapSync.php
@@ -111,14 +111,21 @@ class LdapSync extends Command
             }
 
             /**
-             * If a filter has been specified, use that
+             * If a filter has been specified, use that, otherwise default to null
              */
             if ($this->option('filter') != '') {
-                $results = Ldap::findLdapUsers($search_base, -1, $this->option('filter'));
+                $filter = $this->option('filter');
             } else {
-                $results = Ldap::findLdapUsers($search_base);
+                $filter = null;
             }
-            
+
+            /**
+             * We only need to request the LDAP attributes that we process
+             */
+            $attributes = array_values(array_filter($ldap_map));
+
+            $results = Ldap::findLdapUsers($search_base, -1, $filter, $attributes);
+
         } catch (\Exception $e) {
             if ($this->option('json_summary')) {
                 $json_summary = ['error' => true, 'error_message' => $e->getMessage(), 'summary' => []];
diff --git a/app/Models/Ldap.php b/app/Models/Ldap.php
index ecce46d82a..f71f926a93 100644
--- a/app/Models/Ldap.php
+++ b/app/Models/Ldap.php
@@ -283,9 +283,10 @@ class Ldap extends Model
      * @param $base_dn
      * @param $count
      * @param $filter
+     * @param $attributes
      * @return array|bool
      */
-    public static function findLdapUsers($base_dn = null, $count = -1, $filter = null)
+    public static function findLdapUsers($base_dn = null, $count = -1, $filter = null, $attributes = [])
     {
         $ldapconn = self::connectToLdap();
         self::bindAdminToLdap($ldapconn);
@@ -319,7 +320,7 @@ class Ldap extends Model
             //if($count == -1) { //count is -1 means we have to employ paging to query the entire directory
                 $ldap_controls = [['oid' => LDAP_CONTROL_PAGEDRESULTS, 'iscritical' => false, 'value' => ['size'=> $count == -1||$count>$page_size ? $page_size : $count, 'cookie' => $cookie]]];
             //}
-            $search_results = ldap_search($ldapconn, $base_dn, $filter, [], 0, /* $page_size */ -1, -1, LDAP_DEREF_NEVER, $ldap_controls); // TODO - I hate the @, and I hate that we get a full page even if we ask for 10 records. Can we use an ldap_control?
+            $search_results = ldap_search($ldapconn, $base_dn, $filter, $attributes, 0, /* $page_size */ -1, -1, LDAP_DEREF_NEVER, $ldap_controls); // TODO - I hate the @, and I hate that we get a full page even if we ask for 10 records. Can we use an ldap_control?
             Log::debug("LDAP search executed successfully.");
             if (! $search_results) {
                 return redirect()->route('users.index')->with('error', trans('admin/users/message.error.ldap_could_not_search').ldap_error($ldapconn)); // TODO this is never called in any routed context - only from the Artisan command. So this redirect will never work.
@@ -340,7 +341,7 @@ class Ldap extends Model
                 $cookie = '';
             }
             // Empty cookie means last page
-        
+
             // Get results from page
             $results = ldap_get_entries($ldapconn, $search_results);
             if (! $results) {