From b2671f2cebd1db6f2e18f7557a8806c1072dc3ff Mon Sep 17 00:00:00 2001 From: Tony Murray Date: Fri, 29 Sep 2023 12:32:17 -0500 Subject: [PATCH] Rearrange AD auth settings so it makes more sense, add missing settings --- lang/en/settings.php | 16 +++++++--- misc/config_definitions.json | 60 ++++++++++++++++++++++-------------- 2 files changed, 49 insertions(+), 27 deletions(-) diff --git a/lang/en/settings.php b/lang/en/settings.php index 2f54f4b65c51..613afee3e4f7 100644 --- a/lang/en/settings.php +++ b/lang/en/settings.php @@ -283,6 +283,14 @@ 'description' => 'Check certificate', 'help' => 'Check certificates for validity. Some servers use self signed certificates, disabling this allows those.', ], + 'auth_ad_debug' => [ + 'description' => 'Debug', + 'help' => 'Show detailed error messages, do not leave this enabled as it can leak data.', + ], + 'auth_ad_domain' => [ + 'description' => 'Active Directory Domain', + 'help' => 'Active Directory Domain Example: example.com', + ], 'auth_ad_group_filter' => [ 'description' => 'Group LDAP filter', 'help' => 'Active Directory LDAP filter for selecting groups', @@ -291,6 +299,10 @@ 'description' => 'Group access', 'help' => 'Define groups that have access and level', ], + 'auth_ad_require_groupmembership' => [ + 'description' => 'Require group membership', + 'help' => 'Only allow users to log in if they are part of a defined group', + ], 'auth_ad_user_filter' => [ 'description' => 'User LDAP filter', 'help' => 'Active Directory LDAP filter for selecting users', @@ -299,10 +311,6 @@ 'description' => 'Active Directory Server(s)', 'help' => 'Set server(s), space separated. Prefix with ldaps:// for ssl. Example: ldaps://dc1.example.com ldaps://dc2.example.com', ], - 'auth_ad_domain' => [ - 'description' => 'Active Directory Domain', - 'help' => 'Active Directory Domain Example: example.com', - ], 'auth_ldap_attr' => [ 'uid' => [ 'description' => 'Attribute to check username against', diff --git a/misc/config_definitions.json b/misc/config_definitions.json index 407b90096d10..b14ea202beff 100644 --- a/misc/config_definitions.json +++ b/misc/config_definitions.json @@ -6,7 +6,7 @@ "units": "days", "group": "auth", "section": "ad", - "order": 2, + "order": 20, "type": "integer" }, "addhost_alwayscheckip": { @@ -377,12 +377,6 @@ }, "type": "array" }, - "auth_ad_base_dn": { - "group": "auth", - "section": "ad", - "order": 1, - "type": "text" - }, "auth.socialite.redirect": { "group": "auth", "section": "socialite", @@ -397,7 +391,6 @@ "type": "boolean", "default": false }, - "auth.socialite.configs": { "group": "auth", "section": "socialite", @@ -406,34 +399,51 @@ "validate": { "value": "array", "value.*": "array", - "value.*.listener": ["not_regex:/[:|@]/"], - "value.*.listener": ["regex:/^\\\\SocialiteProviders\\\\[^\\\\]+\\\\[^\\\\]+ExtendSocialite$/"], + "value.*.listener": ["not_regex:/[:|@]/", "regex:/^\\\\SocialiteProviders\\\\[^\\\\]+\\\\[^\\\\]+ExtendSocialite$/"], "value.*.redirect": "url", "value.saml.metadata": "url_or_xml", "value.saml.acs": "url", "value.saml.entityid": "url" } }, - + "auth_ad_base_dn": { + "group": "auth", + "section": "ad", + "order": 3, + "type": "text" + }, "auth_ad_check_certificates": { "default": false, "group": "auth", "section": "ad", - "order": 1, + "order": 5, "type": "boolean" }, + "auth_ad_debug": { + "default": false, + "group": "auth", + "section": "ad", + "order": 20, + "type": "boolean" + }, + "auth_ad_domain": { + "group": "auth", + "section": "ad", + "order": 2, + "type": "text" + }, "auth_ad_group_filter": { "default": "(objectclass=group)", "group": "auth", "section": "ad", - "order": 1, + "order": 7, "type": "text" }, "auth_ad_groups": { "default": {}, "group": "auth", "section": "ad", - "order": 4, + "order": 8, "type": "group-role-map", "options": { "groupPlaceholder": "Group Name" @@ -449,19 +459,19 @@ "default": "(objectclass=user)", "group": "auth", "section": "ad", - "order": 0, + "order": 6, "type": "text" }, "auth_ad_binddn": { "group": "auth", "section": "ad", - "order": 9, + "order": 11, "type": "text" }, "auth_ad_bindpassword": { "group": "auth", "section": "ad", - "order": 8, + "order": 12, "type": "password" }, "auth_ad_binduser": { @@ -473,20 +483,24 @@ "auth_ad_url": { "group": "auth", "section": "ad", - "order": 11, - "type": "text" + "order": 1, + "type": "text", + "validate": { + "value": "regex:#(ldaps?://[\\w.]+\\s+)+#" + } }, - "auth_ad_domain": { + "auth_ad_require_groupmembership": { + "default": false, "group": "auth", "section": "ad", - "order": 12, - "type": "text" + "order": 8, + "type": "boolean" }, "auth_ad_starttls": { "default": "disabled", "group": "auth", "section": "ad", - "order": 13, + "order": 4, "type": "select", "options": { "disabled": "Disabled",