Rearrange AD auth settings

so it makes more sense, add missing settings

lang/en/settings.php

@@ -283,6 +283,14 @@
             'description' => 'Check certificate',
             'help' => 'Check certificates for validity. Some servers use self signed certificates, disabling this allows those.',
         ],
+        'auth_ad_debug' => [
+            'description' => 'Debug',
+            'help' => 'Show detailed error messages, do not leave this enabled as it can leak data.',
+        ],
+        'auth_ad_domain' => [
+            'description' => 'Active Directory Domain',
+            'help' => 'Active Directory Domain Example: example.com',
+        ],
         'auth_ad_group_filter' => [
             'description' => 'Group LDAP filter',
             'help' => 'Active Directory LDAP filter for selecting groups',
@@ -291,6 +299,10 @@
             'description' => 'Group access',
             'help' => 'Define groups that have access and level',
         ],
+        'auth_ad_require_groupmembership' => [
+            'description' => 'Require group membership',
+            'help' => 'Only allow users to log in if they are part of a defined group',
+        ],
         'auth_ad_user_filter' => [
             'description' => 'User LDAP filter',
             'help' => 'Active Directory LDAP filter for selecting users',
@@ -299,10 +311,6 @@
             'description' => 'Active Directory Server(s)',
             'help' => 'Set server(s), space separated. Prefix with ldaps:// for ssl. Example: ldaps://dc1.example.com ldaps://dc2.example.com',
         ],
-        'auth_ad_domain' => [
-            'description' => 'Active Directory Domain',
-            'help' => 'Active Directory Domain Example: example.com',
-        ],
         'auth_ldap_attr' => [
             'uid' => [
                 'description' => 'Attribute to check username against',

misc/config_definitions.json

@@ -6,7 +6,7 @@
             "units": "days",
             "group": "auth",
             "section": "ad",
-            "order": 2,
+            "order": 20,
             "type": "integer"
         },
         "addhost_alwayscheckip": {
@@ -377,12 +377,6 @@
             },
             "type": "array"
         },
-        "auth_ad_base_dn": {
-            "group": "auth",
-            "section": "ad",
-            "order": 1,
-            "type": "text"
-        },
         "auth.socialite.redirect": {
             "group": "auth",
             "section": "socialite",
@@ -397,7 +391,6 @@
             "type": "boolean",
             "default": false
         },
-
         "auth.socialite.configs": {
             "group": "auth",
             "section": "socialite",
@@ -406,34 +399,51 @@
             "validate": {
                 "value": "array",
                 "value.*": "array",
-                "value.*.listener": ["not_regex:/[:|@]/"],
-                "value.*.listener": ["regex:/^\\\\SocialiteProviders\\\\[^\\\\]+\\\\[^\\\\]+ExtendSocialite$/"],
+                "value.*.listener": ["not_regex:/[:|@]/", "regex:/^\\\\SocialiteProviders\\\\[^\\\\]+\\\\[^\\\\]+ExtendSocialite$/"],
                 "value.*.redirect": "url",
                 "value.saml.metadata": "url_or_xml",
                 "value.saml.acs": "url",
                 "value.saml.entityid": "url"
             }
         },
-
+        "auth_ad_base_dn": {
+            "group": "auth",
+            "section": "ad",
+            "order": 3,
+            "type": "text"
+        },
         "auth_ad_check_certificates": {
             "default": false,
             "group": "auth",
             "section": "ad",
-            "order": 1,
+            "order": 5,
             "type": "boolean"
         },
+        "auth_ad_debug": {
+            "default": false,
+            "group": "auth",
+            "section": "ad",
+            "order": 20,
+            "type": "boolean"
+        },
+        "auth_ad_domain": {
+            "group": "auth",
+            "section": "ad",
+            "order": 2,
+            "type": "text"
+        },
         "auth_ad_group_filter": {
             "default": "(objectclass=group)",
             "group": "auth",
             "section": "ad",
-            "order": 1,
+            "order": 7,
             "type": "text"
         },
         "auth_ad_groups": {
             "default": {},
             "group": "auth",
             "section": "ad",
-            "order": 4,
+            "order": 8,
             "type": "group-role-map",
             "options": {
                 "groupPlaceholder": "Group Name"
@@ -449,19 +459,19 @@
             "default": "(objectclass=user)",
             "group": "auth",
             "section": "ad",
-            "order": 0,
+            "order": 6,
             "type": "text"
         },
         "auth_ad_binddn": {
             "group": "auth",
             "section": "ad",
-            "order": 9,
+            "order": 11,
             "type": "text"
         },
         "auth_ad_bindpassword": {
             "group": "auth",
             "section": "ad",
-            "order": 8,
+            "order": 12,
             "type": "password"
         },
         "auth_ad_binduser": {
@@ -473,20 +483,24 @@
         "auth_ad_url": {
             "group": "auth",
             "section": "ad",
-            "order": 11,
-            "type": "text"
+            "order": 1,
+            "type": "text",
+            "validate": {
+                "value": "regex:#(ldaps?://[\\w.]+\\s+)+#"
+            }
         },
-        "auth_ad_domain": {
+        "auth_ad_require_groupmembership": {
+            "default": false,
             "group": "auth",
             "section": "ad",
-            "order": 12,
-            "type": "text"
+            "order": 8,
+            "type": "boolean"
         },
         "auth_ad_starttls": {
             "default": "disabled",
             "group": "auth",
             "section": "ad",
-            "order": 13,
+            "order": 4,
             "type": "select",
             "options": {
                 "disabled": "Disabled",