From b626b7895a70910e46ad13516ce5ae6e3bbd191c Mon Sep 17 00:00:00 2001
From: Brady Wetherington <uberbrady@gmail.com>
Date: Thu, 15 Oct 2020 19:06:02 -0700
Subject: [PATCH] Ensure misdefined active flags will not prevent user syncing

---
 app/Services/LdapAd.php | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/app/Services/LdapAd.php b/app/Services/LdapAd.php
index 2d8ec91072..c6bff240e2 100644
--- a/app/Services/LdapAd.php
+++ b/app/Services/LdapAd.php
@@ -237,8 +237,17 @@ class LdapAd extends LdapAdConfiguration
      */
     private function isLdapSync(AdldapUser $user): bool
     {
-        return (false == $this->ldapSettings['ldap_active_flag'])
-            || ('true' == strtolower($user->{$this->ldapSettings['ldap_active_flag']}[0]));
+        if ( !$this->ldapSettings['ldap_active_flag']) {
+            return true; // always sync if you didn't define an 'active' flag
+        }
+       
+        if ( $user->{$this->ldapSettings['ldap_active_flag']} &&                           // if your LDAP user has the aforementioned flag as an attribute *AND* 
+             count($user->{$this->ldapSettings['ldap_active_flag']}) == 1 &&               // if that attribute has exactly one value *AND* 
+             strtolower($user->{$this->ldapSettings['ldap_active_flag']}[0]) == 'false') { // that value is the string 'false' (regardless of case), 
+            return false;                                                                  // then your user is *INACTIVE* - return false
+        }
+        // otherwise, return true
+        return true;
     }
 
     /**