Merge pull request #511 from dbarzin/dev

update login

Author: dbarzin

.env.example

@@ -70,7 +70,7 @@ LDAP_TLS=false
 # Candidate attributes to identify the username entered in the form
 # Order matters: the first match wins.
 # OpenLDAP: uid, cn, mail ; AD: sAMAccountName, userPrincipalName, mail
-LDAP_LOGIN_ATTRIBUTE="uid,cn,mail,sAMAccountName,userPrincipalName"
+LDAP_LOGIN_ATTRIBUTES="uid,cn,mail,sAMAccountName,userPrincipalName"
 
 ##################################################
 # Socialite

app/Http/Controllers/Auth/LoginController.php

@@ -63,12 +63,19 @@ public function username()
      */
     protected function ldapBindAndGetUser(string $appUsername, string $password): ?LdapEntry
     {
-        // Recherche agnostique du schéma : AD ou OpenLDAP
-        // On construit une requête OR sur une liste d'attributs configurables
-        $attrs = array_filter(array_map('trim', explode(',', config('ldap_login_attributes'))));
 
         try {
             $query = LdapEntry::query();
+
+            // Optionnel : restreindre à une OU si configuré
+            $base = config('app.ldap_users_base_dn', env('LDAP_USERS_BASE_DN'));
+            if ($base) {
+                $query->in($base);
+            }
+
+            // Filtre de localisation : OR sur les attributs pertinents
+            $attrs = array_filter(array_map('trim', explode(',', config('app.ldap_login_attributes'))));
+
             $first = true;
             foreach ($attrs as $attr) {
                 if ($first) {
@@ -79,9 +86,12 @@ protected function ldapBindAndGetUser(string $appUsername, string $password): ?L
                 }
             }
 
+            \Log::debug("LDAP dn: " . $query->getDn() . " query: " . $query->getQuery());
+
             /** @var LdapEntry|null $ldapUser */
             $ldapUser = $query->first();
             if (! $ldapUser) {
+                \Log::debug("LDAP user not found !");
                 return null;
             }
 
@@ -140,8 +150,9 @@ protected function attemptLogin(Request $request)
                     // Minimal safe provisioning – adapt attributes to your schema
                     $local = User::create([
                         'name' => $ldapUser->getFirstAttribute('cn') ?: $identifier,
-                        'email' => $ldapUser->getFirstAttribute('mail') ?: null,
+                        'email' => $ldapUser->getFirstAttribute('mail') ?: 'user@localhost.local',
                         'login' => $identifier,
+                        'role' => 5, // Auditee
                         // Store a random password so DB auth is not accidentally usable unless you set one explicitly
                         'password' => bcrypt(str()->random(32)),
                     ]);

app/Http/Controllers/UserController.php

@@ -58,9 +58,9 @@ public function store(Request $request)
         $this->validate($request, [
             'login' => 'required|unique:users|min:1|max:30',
             'name' => 'required|min:1|max:90',
-            'title' => 'required|min:1|max:30',
+            'title' => 'nullable|min:1|max:30',
             'email' => 'required|unique:users|email:rfc',
-            'role' => 'required',
+            'role' => 'required|min:1|max:5',
         ]);
 
         // Custom password validation if LDAP is not enabled
@@ -138,9 +138,9 @@ public function update(Request $request, User $user)
         $this->validate($request, [
             'login' => 'required|min:1|max:30|unique:users,login,'.$user->id,
             'name' => 'required|min:1|max:90',
-            'title' => 'required|min:1|max:30',
+            'title' => 'nullable|min:1|max:30',
             'email' => 'required|email:rfc|unique:users,email,'.$user->id,
-            'role' => 'required',
+            'role' => 'min:1|max:5',
         ]);
 
         // Custom password validation if LDAP is not enabled