From 1eda806c1771dce873d9d0f6a407bf8dfe3a27f2 Mon Sep 17 00:00:00 2001
From: bpatath <github@bp.patathouse.fr>
Date: Thu, 21 May 2020 17:01:54 +0200
Subject: [PATCH 1/2] Fix outdated AdLdap2 configuration files

---
 app/Http/Controllers/Auth/LoginController.php |  8 +---
 config/ldap.php                               | 46 +++++++++----------
 config/ldap_auth.php                          | 14 +++---
 3 files changed, 31 insertions(+), 37 deletions(-)

diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 1b6ee69d60..74ab8a9b63 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -82,14 +82,8 @@ class LoginController extends Controller
         Log::channel('audit')->info(sprintf('User is trying to login using "%s"', $request->get('email')));
         Log::info(sprintf('User is trying to login.'));
         if ('ldap' === config('auth.providers.users.driver')) {
-            /**
-             * Temporary bug fix for something that doesn't seem to work in
-             * AdLdap.
-             */
-            $schema = config('ldap.connections.default.schema');
-
             /** @var Adldap\Connections\Provider $provider */
-            Adldap::getProvider('default')->setSchema(new $schema);
+            Adldap::getProvider('default');
         }
 
         $this->validateLogin($request);
diff --git a/config/ldap.php b/config/ldap.php
index 5ac78296da..13e18bd41b 100644
--- a/config/ldap.php
+++ b/config/ldap.php
@@ -87,29 +87,6 @@ return [
 
             'connection' => Adldap\Connections\Ldap::class,
 
-            /*
-            |--------------------------------------------------------------------------
-            | Schema
-            |--------------------------------------------------------------------------
-            |
-            | The schema class to use for retrieving attributes and generating models.
-            |
-            | You can also set this option to `null` to use the default schema class.
-            |
-            | For OpenLDAP, you must use the schema:
-            |
-            |   Adldap\Schemas\OpenLDAP::class
-            |
-            | For FreeIPA, you must use the schema:
-            |
-            |   Adldap\Schemas\FreeIPA::class
-            |
-            | Custom schema classes must implement Adldap\Schemas\SchemaInterface
-            |
-            */
-
-            'schema' => $schema,
-
             /*
             |--------------------------------------------------------------------------
             | Connection Settings
@@ -123,6 +100,29 @@ return [
 
             'settings' => [
 
+                /*
+                |--------------------------------------------------------------------------
+                | Schema
+                |--------------------------------------------------------------------------
+                |
+                | The schema class to use for retrieving attributes and generating models.
+                |
+                | You can also set this option to `null` to use the default schema class.
+                |
+                | For OpenLDAP, you must use the schema:
+                |
+                |   Adldap\Schemas\OpenLDAP::class
+                |
+                | For FreeIPA, you must use the schema:
+                |
+                |   Adldap\Schemas\FreeIPA::class
+                |
+                | Custom schema classes must implement Adldap\Schemas\SchemaInterface
+                |
+                */
+
+                'schema' => $schema,
+
                 /*
                 |--------------------------------------------------------------------------
                 | Account Prefix
diff --git a/config/ldap_auth.php b/config/ldap_auth.php
index 4e730062af..a05358b957 100644
--- a/config/ldap_auth.php
+++ b/config/ldap_auth.php
@@ -217,10 +217,10 @@ return [
         | Windows Authentication Middleware (SSO)
         |--------------------------------------------------------------------------
         |
-        | Discover:
+        | Locate Users By:
         |
-        |   The 'discover' value is the users attribute you would
-        |   like to locate LDAP users by in your directory.
+        |   This value is the users attribute you would like to locate LDAP
+        |   users by in your directory.
         |
         |   For example, if 'samaccountname' is the value, then your LDAP server is
         |   queried for a user with the 'samaccountname' equal to the value of
@@ -229,9 +229,9 @@ return [
         |   If a user is found, they are imported (if using the DatabaseUserProvider)
         |   into your local database, then logged in.
         |
-        | Key:
+        | Server Key:
         |
-        |    The 'key' value represents the 'key' of the $_SERVER
+        |    This value represents the 'key' of the $_SERVER
         |    array to pull the users account name from.
         |
         |    For example, $_SERVER['AUTH_USER'].
@@ -239,8 +239,8 @@ return [
         */
 
         'windows' => [
-            'discover' => envNonEmpty('WINDOWS_SSO_DISCOVER', 'samaccountname'),
-            'key'      => envNonEmpty('WINDOWS_SSO_KEY', 'AUTH_USER'),
+            'locate_users_by' => envNonEmpty('WINDOWS_SSO_DISCOVER', 'samaccountname'),
+            'server_key'      => envNonEmpty('WINDOWS_SSO_KEY', 'AUTH_USER'),
         ],
     ],
 

From 7b1380366badaa4eacc70e66b8077d27739ceca1 Mon Sep 17 00:00:00 2001
From: bpatath <github@bp.patathouse.fr>
Date: Thu, 21 May 2020 20:20:46 +0200
Subject: [PATCH 2/2] Register SSO middleware if enabled in configuration

---
 .env.example                         | 1 +
 app/Providers/AppServiceProvider.php | 4 ++++
 config/ldap_auth.php                 | 7 +++++++
 3 files changed, 12 insertions(+)

diff --git a/.env.example b/.env.example
index 6974348f2e..11ca442294 100644
--- a/.env.example
+++ b/.env.example
@@ -191,6 +191,7 @@ ADLDAP_AUTH_FIELD=distinguishedname
 
 # Will allow SSO if your server provides an AUTH_USER field.
 # You can set the following variables from a file by appending them with _FILE:
+WINDOWS_SSO_ENABLED=false
 WINDOWS_SSO_DISCOVER=samaccountname
 WINDOWS_SSO_KEY=AUTH_USER
 
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index f16be906f9..3a66b72d3c 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -26,6 +26,7 @@ use Illuminate\Support\Facades\Schema;
 use Illuminate\Support\ServiceProvider;
 use Laravel\Passport\Passport;
 use URL;
+use Adldap\Laravel\Middleware\WindowsAuthenticate;
 
 /**
  * @codeCoverageIgnore
@@ -44,6 +45,9 @@ class AppServiceProvider extends ServiceProvider
         if ('heroku' === config('app.env')) {
             URL::forceScheme('https');
         }
+        if (config('ldap_auth.identifiers.windows.enabled', false)) {
+            $this->app['router']->pushMiddlewareToGroup('web', WindowsAuthenticate::class);
+        }
     }
 
     /**
diff --git a/config/ldap_auth.php b/config/ldap_auth.php
index a05358b957..2f395c809b 100644
--- a/config/ldap_auth.php
+++ b/config/ldap_auth.php
@@ -217,6 +217,12 @@ return [
         | Windows Authentication Middleware (SSO)
         |--------------------------------------------------------------------------
         |
+        | Enabled:
+        |
+        |   The middleware will be registered only if enabled is set to true.
+        |   If you update this file, beware, this is not a standard
+        |   AdLdap2-Laravel configuration key.
+        |
         | Locate Users By:
         |
         |   This value is the users attribute you would like to locate LDAP
@@ -239,6 +245,7 @@ return [
         */
 
         'windows' => [
+            'enabled'         => envNonEmpty('WINDOWS_SSO_ENABLED', false),
             'locate_users_by' => envNonEmpty('WINDOWS_SSO_DISCOVER', 'samaccountname'),
             'server_key'      => envNonEmpty('WINDOWS_SSO_KEY', 'AUTH_USER'),
         ],