Add setting to force LDAP UUID case

* Fix #44486

Signed-off-by: Sven Seeberg <mail@sven-seeberg.de>

Author: svenseeberg

apps/user_ldap/js/wizard/wizardTabExpert.js

@@ -36,6 +36,10 @@ OCA = OCA || {};
 					$element: $('#ldap_expert_uuid_group_attr'),
 					setMethod: 'setGroupUUIDAttribute'
 				},
+				ldap_expert_force_uuid_case: {
+					$element: $('#ldap_expert_force_uuid_case'),
+					setMethod: 'setGroupUUIDAttribute'
+				},
 
 				//Buttons
 				ldap_action_clear_user_mappings: {

apps/user_ldap/lib/Access.php

@@ -1754,7 +1754,11 @@ public function getUUID(string $dn, bool $isUser = true, array $ldapRecord = nul
 				$uuid = $uuid[0];
 			}
 		}
-
+		if ( $this->connection->ldapExpertForceUUIDCase === "lowercase" ) {
+			$uuid = strtolower($uuid);
+		} elseif ( $this->connection->ldapExpertForceUUIDCase === "uppercase" ) {
+			$uuid = strtoupper($uuid);
+		}
 		return $uuid;
 	}
 

apps/user_ldap/lib/Configuration.php

@@ -115,6 +115,7 @@ class Configuration {
 		'hasMemberOfFilterSupport' => false,
 		'useMemberOfToDetectMembership' => true,
 		'ldapExpertUsernameAttr' => null,
+		'ldapExpertForceUUIDCase' => 'accept',
 		'ldapExpertUUIDUserAttr' => null,
 		'ldapExpertUUIDGroupAttr' => null,
 		'markRemnantsAsDisabled' => false,
@@ -470,6 +471,7 @@ public function getDefaults(): array {
 			'ldap_expert_username_attr' => '',
 			'ldap_expert_uuid_user_attr' => '',
 			'ldap_expert_uuid_group_attr' => '',
+			'ldap_expert_force_uuid_case' => 'accept',
 			'has_memberof_filter_support' => 0,
 			'use_memberof_to_detect_membership' => 1,
 			'ldap_mark_remnants_as_disabled' => 0,
@@ -546,6 +548,7 @@ public function getConfigTranslationArray(): array {
 			'ldap_attributes_for_group_search' => 'ldapAttributesForGroupSearch',
 			'ldap_expert_username_attr' => 'ldapExpertUsernameAttr',
 			'ldap_expert_uuid_user_attr' => 'ldapExpertUUIDUserAttr',
+			'ldap_expert_force_uuid_case' => 'ldapExpertForceUUIDCase',
 			'ldap_expert_uuid_group_attr' => 'ldapExpertUUIDGroupAttr',
 			'has_memberof_filter_support' => 'hasMemberOfFilterSupport',
 			'use_memberof_to_detect_membership' => 'useMemberOfToDetectMembership',

apps/user_ldap/lib/Connection.php

@@ -56,6 +56,7 @@
  * @property bool|mixed|void ldapGroupMemberAssocAttr
  * @property string ldapUuidUserAttribute
  * @property string ldapUuidGroupAttribute
+ * @property string ldapExpertForceUUIDCase
  * @property string ldapExpertUUIDUserAttr
  * @property string ldapExpertUUIDGroupAttr
  * @property string ldapQuotaAttribute

apps/user_ldap/lib/Controller/ConfigAPIController.php

@@ -210,6 +210,7 @@ public function modify($configID, $configData) {
 	 *     <ldapExpertUsernameAttr>uid</ldapExpertUsernameAttr>
 	 *     <ldapExpertUUIDUserAttr>uid</ldapExpertUUIDUserAttr>
 	 *     <ldapExpertUUIDGroupAttr></ldapExpertUUIDGroupAttr>
+	 *     <ldapExpertForceUUIDCase>accept</ldapExpertForceUUIDCase>
 	 *     <lastJpegPhotoLookup>0</lastJpegPhotoLookup>
 	 *     <ldapNestedGroups>0</ldapNestedGroups>
 	 *     <ldapPagingSize>500</ldapPagingSize>

apps/user_ldap/openapi.json

@@ -121,7 +121,7 @@
             "get": {
                 "operationId": "configapi-show",
                 "summary": "Get a configuration",
-                "description": "Output can look like this: <?xml version=\"1.0\"?> <ocs> <meta> <status>ok</status> <statuscode>200</statuscode> <message>OK</message> </meta> <data> <ldapHost>ldaps://my.ldap.server</ldapHost> <ldapPort>7770</ldapPort> <ldapBackupHost></ldapBackupHost> <ldapBackupPort></ldapBackupPort> <ldapBase>ou=small,dc=my,dc=ldap,dc=server</ldapBase> <ldapBaseUsers>ou=users,ou=small,dc=my,dc=ldap,dc=server</ldapBaseUsers> <ldapBaseGroups>ou=small,dc=my,dc=ldap,dc=server</ldapBaseGroups> <ldapAgentName>cn=root,dc=my,dc=ldap,dc=server</ldapAgentName> <ldapAgentPassword>clearTextWithShowPassword=1</ldapAgentPassword> <ldapTLS>1</ldapTLS> <turnOffCertCheck>0</turnOffCertCheck> <ldapIgnoreNamingRules/> <ldapUserDisplayName>displayname</ldapUserDisplayName> <ldapUserDisplayName2>uid</ldapUserDisplayName2> <ldapUserFilterObjectclass>inetOrgPerson</ldapUserFilterObjectclass> <ldapUserFilterGroups></ldapUserFilterGroups> <ldapUserFilter>(&amp;(objectclass=nextcloudUser)(nextcloudEnabled=TRUE))</ldapUserFilter> <ldapUserFilterMode>1</ldapUserFilterMode> <ldapGroupFilter>(&amp;(|(objectclass=nextcloudGroup)))</ldapGroupFilter> <ldapGroupFilterMode>0</ldapGroupFilterMode> <ldapGroupFilterObjectclass>nextcloudGroup</ldapGroupFilterObjectclass> <ldapGroupFilterGroups></ldapGroupFilterGroups> <ldapGroupDisplayName>cn</ldapGroupDisplayName> <ldapGroupMemberAssocAttr>memberUid</ldapGroupMemberAssocAttr> <ldapLoginFilter>(&amp;(|(objectclass=inetOrgPerson))(uid=%uid))</ldapLoginFilter> <ldapLoginFilterMode>0</ldapLoginFilterMode> <ldapLoginFilterEmail>0</ldapLoginFilterEmail> <ldapLoginFilterUsername>1</ldapLoginFilterUsername> <ldapLoginFilterAttributes></ldapLoginFilterAttributes> <ldapQuotaAttribute></ldapQuotaAttribute> <ldapQuotaDefault></ldapQuotaDefault> <ldapEmailAttribute>mail</ldapEmailAttribute> <ldapCacheTTL>20</ldapCacheTTL> <ldapUuidUserAttribute>auto</ldapUuidUserAttribute> <ldapUuidGroupAttribute>auto</ldapUuidGroupAttribute> <ldapOverrideMainServer></ldapOverrideMainServer> <ldapConfigurationActive>1</ldapConfigurationActive> <ldapAttributesForUserSearch>uid;sn;givenname</ldapAttributesForUserSearch> <ldapAttributesForGroupSearch></ldapAttributesForGroupSearch> <ldapExperiencedAdmin>0</ldapExperiencedAdmin> <homeFolderNamingRule></homeFolderNamingRule> <hasMemberOfFilterSupport></hasMemberOfFilterSupport> <useMemberOfToDetectMembership>1</useMemberOfToDetectMembership> <ldapExpertUsernameAttr>uid</ldapExpertUsernameAttr> <ldapExpertUUIDUserAttr>uid</ldapExpertUUIDUserAttr> <ldapExpertUUIDGroupAttr></ldapExpertUUIDGroupAttr> <lastJpegPhotoLookup>0</lastJpegPhotoLookup> <ldapNestedGroups>0</ldapNestedGroups> <ldapPagingSize>500</ldapPagingSize> <turnOnPasswordChange>1</turnOnPasswordChange> <ldapDynamicGroupMemberURL></ldapDynamicGroupMemberURL> </data> </ocs>\nThis endpoint requires admin access",
+                "description": "Output can look like this: <?xml version=\"1.0\"?> <ocs> <meta> <status>ok</status> <statuscode>200</statuscode> <message>OK</message> </meta> <data> <ldapHost>ldaps://my.ldap.server</ldapHost> <ldapPort>7770</ldapPort> <ldapBackupHost></ldapBackupHost> <ldapBackupPort></ldapBackupPort> <ldapBase>ou=small,dc=my,dc=ldap,dc=server</ldapBase> <ldapBaseUsers>ou=users,ou=small,dc=my,dc=ldap,dc=server</ldapBaseUsers> <ldapBaseGroups>ou=small,dc=my,dc=ldap,dc=server</ldapBaseGroups> <ldapAgentName>cn=root,dc=my,dc=ldap,dc=server</ldapAgentName> <ldapAgentPassword>clearTextWithShowPassword=1</ldapAgentPassword> <ldapTLS>1</ldapTLS> <turnOffCertCheck>0</turnOffCertCheck> <ldapIgnoreNamingRules/> <ldapUserDisplayName>displayname</ldapUserDisplayName> <ldapUserDisplayName2>uid</ldapUserDisplayName2> <ldapUserFilterObjectclass>inetOrgPerson</ldapUserFilterObjectclass> <ldapUserFilterGroups></ldapUserFilterGroups> <ldapUserFilter>(&amp;(objectclass=nextcloudUser)(nextcloudEnabled=TRUE))</ldapUserFilter> <ldapUserFilterMode>1</ldapUserFilterMode> <ldapGroupFilter>(&amp;(|(objectclass=nextcloudGroup)))</ldapGroupFilter> <ldapGroupFilterMode>0</ldapGroupFilterMode> <ldapGroupFilterObjectclass>nextcloudGroup</ldapGroupFilterObjectclass> <ldapGroupFilterGroups></ldapGroupFilterGroups> <ldapGroupDisplayName>cn</ldapGroupDisplayName> <ldapGroupMemberAssocAttr>memberUid</ldapGroupMemberAssocAttr> <ldapLoginFilter>(&amp;(|(objectclass=inetOrgPerson))(uid=%uid))</ldapLoginFilter> <ldapLoginFilterMode>0</ldapLoginFilterMode> <ldapLoginFilterEmail>0</ldapLoginFilterEmail> <ldapLoginFilterUsername>1</ldapLoginFilterUsername> <ldapLoginFilterAttributes></ldapLoginFilterAttributes> <ldapQuotaAttribute></ldapQuotaAttribute> <ldapQuotaDefault></ldapQuotaDefault> <ldapEmailAttribute>mail</ldapEmailAttribute> <ldapCacheTTL>20</ldapCacheTTL> <ldapUuidUserAttribute>auto</ldapUuidUserAttribute> <ldapUuidGroupAttribute>auto</ldapUuidGroupAttribute> <ldapOverrideMainServer></ldapOverrideMainServer> <ldapConfigurationActive>1</ldapConfigurationActive> <ldapAttributesForUserSearch>uid;sn;givenname</ldapAttributesForUserSearch> <ldapAttributesForGroupSearch></ldapAttributesForGroupSearch> <ldapExperiencedAdmin>0</ldapExperiencedAdmin> <homeFolderNamingRule></homeFolderNamingRule> <hasMemberOfFilterSupport></hasMemberOfFilterSupport> <useMemberOfToDetectMembership>1</useMemberOfToDetectMembership> <ldapExpertUsernameAttr>uid</ldapExpertUsernameAttr> <ldapExpertForceUUIDCase>accept</ldapExpertForceUUIDCase>  <ldapExpertUUIDUserAttr>uid</ldapExpertUUIDUserAttr> <ldapExpertUUIDGroupAttr></ldapExpertUUIDGroupAttr> <lastJpegPhotoLookup>0</lastJpegPhotoLookup> <ldapNestedGroups>0</ldapNestedGroups> <ldapPagingSize>500</ldapPagingSize> <turnOnPasswordChange>1</turnOnPasswordChange> <ldapDynamicGroupMemberURL></ldapDynamicGroupMemberURL> </data> </ocs>\nThis endpoint requires admin access",
                 "tags": [
                     "configapi"
                 ],
@@ -389,4 +389,4 @@
         }
     },
     "tags": []
-}
+}

apps/user_ldap/templates/settings.php

@@ -140,6 +140,13 @@
 		<p><strong><?php p($l->t('Internal Username'));?></strong></p>
 		<p class="ldapIndent"><?php p($l->t('By default the internal username will be created from the UUID attribute. It makes sure that the username is unique and characters do not need to be converted. The internal username has the restriction that only these characters are allowed: [a-zA-Z0-9_.@-]. Other characters are replaced with their ASCII correspondence or simply omitted. On collisions a number will be added/increased. The internal username is used to identify a user internally. It is also the default name for the user home folder. It is also a part of remote URLs, for instance for all DAV services. With this setting, the default behavior can be overridden. Changes will have effect only on newly mapped (added) LDAP users. Leave it empty for default behavior.'));?></p>
 		<p class="ldapIndent"><label for="ldap_expert_username_attr"><?php p($l->t('Internal Username Attribute:'));?></label><input type="text" id="ldap_expert_username_attr" name="ldap_expert_username_attr" data-default="<?php p($_['ldap_expert_username_attr_default']); ?>" /></p>
+		<p class="ldapIndent"><label for="ldap_expert_force_uuid_case"><?php p($l->t('Force Case for UUIDs:'));?></label><select id="ldap_expert_force_uuid_case" name="ldap_expert_force_uuid_case" data-default="<?php p($_['ldap_expert_force_uuid_case_default']); ?>" ><option value="accept"<?php if (isset($_['ldap_expert_force_uuid_case']) && ($_['ldap_expert_force_uuid_case'] === 'accept')) {
+					p(' selected');
+				} ?>><?php p($l->t('Accept case from LDAP'));?></option><option value="lowercase"<?php if (isset($_['ldap_expert_force_uuid_case']) && ($_['ldap_expert_force_uuid_case'] === 'lowercase')) {
+					p(' selected');
+				} ?>><?php p($l->t('Convert UUID to Lower Case Username'));?></option><option value="uppercase"<?php if (isset($_['ldap_expert_force_uuid_case']) && ($_['ldap_expert_force_uuid_case'] === 'uppercase')) {
+					p(' selected');
+				} ?>><?php p($l->t('Convert UUID to Upper Case Username'));?></option></select>
 		<p><strong><?php p($l->t('Override UUID detection'));?></strong></p>
 		<p class="ldapIndent"><?php p($l->t('By default, the UUID attribute is automatically detected. The UUID attribute is used to doubtlessly identify LDAP users and groups. Also, the internal username will be created based on the UUID, if not specified otherwise above. You can override the setting and pass an attribute of your choice. You must make sure that the attribute of your choice can be fetched for both users and groups and it is unique. Leave it empty for default behavior. Changes will have effect only on newly mapped (added) LDAP users and groups.'));?></p>
 		<p class="ldapIndent"><label for="ldap_expert_uuid_user_attr"><?php p($l->t('UUID Attribute for Users:'));?></label><input type="text" id="ldap_expert_uuid_user_attr" name="ldap_expert_uuid_user_attr" data-default="<?php p($_['ldap_expert_uuid_user_attr_default']); ?>" /></p>