From 112112d258027f4d6aa766ebba5ca2dea5a2b2d8 Mon Sep 17 00:00:00 2001
From: James M <azmcnutt@gmail.com>
Date: Thu, 27 Feb 2025 10:50:58 -0700
Subject: [PATCH 1/2] Feat: #14926 LDAP Active Flag - Add config option to make
 False = Enable

---
 app/Console/Commands/LdapSync.php             | 10 +++++--
 app/Http/Controllers/SettingsController.php   |  1 +
 ...ap_invert_active_flag_to_setting_table.php | 28 +++++++++++++++++++
 .../lang/en-US/admin/settings/general.php     |  2 ++
 resources/views/settings/ldap.blade.php       | 26 +++++++++++++++++
 5 files changed, 65 insertions(+), 2 deletions(-)
 mode change 100755 => 100644 app/Http/Controllers/SettingsController.php
 create mode 100644 database/migrations/2025_02_26_153413_add_ldap_invert_active_flag_to_setting_table.php

diff --git a/app/Console/Commands/LdapSync.php b/app/Console/Commands/LdapSync.php
index 619c6af793..7923eaa02a 100644
--- a/app/Console/Commands/LdapSync.php
+++ b/app/Console/Commands/LdapSync.php
@@ -361,9 +361,15 @@ class LdapSync extends Command
                 // (Specifically, we don't handle a value of '0.0' correctly)
                 $raw_value = @$results[$i][$ldap_map["active_flag"]][0];
                 $filter_var = filter_var($raw_value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
+                
                 $boolean_cast = (bool) $raw_value;
-
-                $user->activated = $filter_var ?? $boolean_cast; // if filter_var() was true or false, use that. If it's null, use the $boolean_cast
+                
+                if (Setting::getSettings()->ldap_invert_active_flag === 1) {
+                    // Because ldap_active_flag is set, if filter_var is true or boolean_cast is true, then user is suspended
+                    $user->activated = !($filter_var ?? $boolean_cast);
+                }else{
+                    $user->activated = $filter_var ?? $boolean_cast; // if filter_var() was true or false, use that. If it's null, use the $boolean_cast
+                }
 
             } elseif (array_key_exists('useraccountcontrol', $results[$i])) {
                 // ....otherwise, (ie if no 'active' LDAP flag is defined), IF the UAC setting exists,
diff --git a/app/Http/Controllers/SettingsController.php b/app/Http/Controllers/SettingsController.php
old mode 100755
new mode 100644
index dcc0f9e093..807c514d0b
--- a/app/Http/Controllers/SettingsController.php
+++ b/app/Http/Controllers/SettingsController.php
@@ -851,6 +851,7 @@ class SettingsController extends Controller
             $setting->ldap_auth_filter_query = $request->input('ldap_auth_filter_query');
             $setting->ldap_version = $request->input('ldap_version', 3);
             $setting->ldap_active_flag = $request->input('ldap_active_flag');
+            $setting->ldap_invert_active_flag = $request->input('ldap_invert_active_flag');
             $setting->ldap_emp_num = $request->input('ldap_emp_num');
             $setting->ldap_email = $request->input('ldap_email');
             $setting->ldap_manager = $request->input('ldap_manager');
diff --git a/database/migrations/2025_02_26_153413_add_ldap_invert_active_flag_to_setting_table.php b/database/migrations/2025_02_26_153413_add_ldap_invert_active_flag_to_setting_table.php
new file mode 100644
index 0000000000..c435e014c4
--- /dev/null
+++ b/database/migrations/2025_02_26_153413_add_ldap_invert_active_flag_to_setting_table.php
@@ -0,0 +1,28 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        Schema::table('settings', function (Blueprint $table) {
+            $table->boolean('ldap_invert_active_flag')->default(false);
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        Schema::table('settings', function (Blueprint $table) {
+            $table->dropColumn('ldap_invert_active_flag');
+        });
+    }
+};
diff --git a/resources/lang/en-US/admin/settings/general.php b/resources/lang/en-US/admin/settings/general.php
index ad21bbb643..f02de36fc3 100644
--- a/resources/lang/en-US/admin/settings/general.php
+++ b/resources/lang/en-US/admin/settings/general.php
@@ -118,6 +118,8 @@ return [
     'ldap_version'              => 'LDAP Version',
     'ldap_active_flag'          => 'LDAP Active Flag',
     'ldap_activated_flag_help'  => 'This value is used to determine whether a synced user can login to Snipe-IT. <strong>It does not affect the ability to check items in or out to them</strong>, and should be the <strong>attribute name</strong> within your AD/LDAP, <strong>not the value</strong>. <br><br>If this field is set to a field name that does not exist in your AD/LDAP, or the value in the AD/LDAP field is set to <code>0</code> or <code>false</code>, <strong>user login will be disabled</strong>. If the value in the AD/LDAP field is set to <code>1</code> or <code>true</code> or <em>any other text</em> means the user can log in. When the field is blank in your AD, we respect the <code>userAccountControl</code> attribute, which usually allows non-suspended users to log in.',
+    'ldap_invert_active_flag'   => 'LDAP Invert Active Flad',
+    'ldap_invert_active_flag_help'     => 'If enabled: when the value returned by LDAP Active Flag is <code>0</code> or <code>false</code> the user account will be active.',
     'ldap_emp_num'              => 'LDAP Employee Number',
     'ldap_email'                => 'LDAP Email',
     'ldap_test'                 => 'Test LDAP',
diff --git a/resources/views/settings/ldap.blade.php b/resources/views/settings/ldap.blade.php
index 24f4fd79ef..9d4a19b018 100644
--- a/resources/views/settings/ldap.blade.php
+++ b/resources/views/settings/ldap.blade.php
@@ -554,6 +554,32 @@
                             </div>
                         </div>
 
+                        <!-- LDAP invert active flag -->
+                        <div class="form-group">
+                            <div class="col-md-3">
+                                {{ Form::label('ldap_invert_active_flag', trans('admin/settings/general.ldap_invert_active_flag')) }}
+                            </div>
+                            <div class="col-md-8">
+                                <label class="form-control">
+                                    <input type="checkbox" name="ldap_invert_active_flag" value="1" id="ldap_invert_active_flag" @checked(old('ldap_invert_active_flag', $setting->ldap_invert_active_flag)) />
+                                    <p class="help-block">{!! trans('admin/settings/general.ldap_invert_active_flag_help') !!}</p>
+                                </label>
+                                @error('ldap_invert_active_flag')
+                                    <span class="alert-msg">
+                                         <x-icon type="x" />
+                                        {{ $message }}
+                                    </span>
+                                @enderror
+
+                                @if (config('app.lock_passwords')===true)
+                                    <p class="text-warning">
+                                        <x-icon type="locked" />
+                                        {{ trans('general.feature_disabled') }}
+                                    </p>
+                                @endif
+                            </div>
+                        </div>
+
                         <!-- LDAP emp number -->
                         <div class="form-group {{ $errors->has('ldap_emp_num') ? 'error' : '' }}">
                             <div class="col-md-3">

From 149474bfe3144ba8f42ad05666d54658c69f78f3 Mon Sep 17 00:00:00 2001
From: James M <31522486+azmcnutt@users.noreply.github.com>
Date: Thu, 27 Feb 2025 12:42:47 -0700
Subject: [PATCH 2/2] Update general.php

FIX: Spelling error
---
 resources/lang/en-US/admin/settings/general.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/lang/en-US/admin/settings/general.php b/resources/lang/en-US/admin/settings/general.php
index f02de36fc3..c2dd9fdb26 100644
--- a/resources/lang/en-US/admin/settings/general.php
+++ b/resources/lang/en-US/admin/settings/general.php
@@ -118,7 +118,7 @@ return [
     'ldap_version'              => 'LDAP Version',
     'ldap_active_flag'          => 'LDAP Active Flag',
     'ldap_activated_flag_help'  => 'This value is used to determine whether a synced user can login to Snipe-IT. <strong>It does not affect the ability to check items in or out to them</strong>, and should be the <strong>attribute name</strong> within your AD/LDAP, <strong>not the value</strong>. <br><br>If this field is set to a field name that does not exist in your AD/LDAP, or the value in the AD/LDAP field is set to <code>0</code> or <code>false</code>, <strong>user login will be disabled</strong>. If the value in the AD/LDAP field is set to <code>1</code> or <code>true</code> or <em>any other text</em> means the user can log in. When the field is blank in your AD, we respect the <code>userAccountControl</code> attribute, which usually allows non-suspended users to log in.',
-    'ldap_invert_active_flag'   => 'LDAP Invert Active Flad',
+    'ldap_invert_active_flag'   => 'LDAP Invert Active Flag',
     'ldap_invert_active_flag_help'     => 'If enabled: when the value returned by LDAP Active Flag is <code>0</code> or <code>false</code> the user account will be active.',
     'ldap_emp_num'              => 'LDAP Employee Number',
     'ldap_email'                => 'LDAP Email',