idp: Utilize ownCloudUserEnabled Attribute to filter users

This adds support for configuring an LDAP Attribute that can be used as a flag
to disallow users to login. We currently default to 'ownCloudUserEnabled' as
used in the default configuration of the graph service.

changelog/unreleased/enhancement-user-disable.md

@@ -0,0 +1,7 @@
+Enhancement: allow users to be disabled
+
+By setting the `accountEnabled` property to `false` for a user via the graph API. Users
+can be disabled (i.e. they can no longer login)
+
+https://github.com/owncloud/ocis/pull/5588
+https://github.com/owncloud/ocis/pull/5620

services/idp/pkg/config/config.go

@@ -47,8 +47,9 @@ type Ldap struct {
 	UUIDAttribute     string `yaml:"uuid_attribute" env:"LDAP_USER_SCHEMA_ID;IDP_LDAP_UUID_ATTRIBUTE" desc:"LDAP User uuid attribute like 'uid'."`
 	UUIDAttributeType string `yaml:"uuid_attribute_type" env:"IDP_LDAP_UUID_ATTRIBUTE_TYPE" desc:"LDAP User uuid attribute type like 'text'."`
 
-	Filter      string `yaml:"filter" env:"LDAP_USER_FILTER;IDP_LDAP_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'."`
-	ObjectClass string `yaml:"objectclass" env:"LDAP_USER_OBJECTCLASS;IDP_LDAP_OBJECTCLASS" desc:"LDAP User ObjectClass like 'inetOrgPerson'."`
+	UserEnabledAttribute string `yaml:"user_enabled_attribute" env:"LDAP_USER_ENABLED_ATTRIBUTE;IDP_USER_ENABLED_ATTRIBUTE" desc:"LDAP Attribute to use as a flag telling if the user is enabled or disabled."`
+	Filter               string `yaml:"filter" env:"LDAP_USER_FILTER;IDP_LDAP_FILTER" desc:"LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'."`
+	ObjectClass          string `yaml:"objectclass" env:"LDAP_USER_OBJECTCLASS;IDP_LDAP_OBJECTCLASS" desc:"LDAP User ObjectClass like 'inetOrgPerson'."`
 }
 
 // Asset defines the available asset configuration.

services/idp/pkg/config/defaults/defaultconfig.go

@@ -111,18 +111,19 @@ func DefaultConfig() *config.Config {
 			},
 		},
 		Ldap: config.Ldap{
-			URI:               "ldaps://localhost:9235",
-			TLSCACert:         filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
-			BindDN:            "uid=idp,ou=sysusers,o=libregraph-idm",
-			BaseDN:            "ou=users,o=libregraph-idm",
-			Scope:             "sub",
-			LoginAttribute:    "uid",
-			EmailAttribute:    "mail",
-			NameAttribute:     "displayName",
-			UUIDAttribute:     "uid",
-			UUIDAttributeType: "text",
-			Filter:            "",
-			ObjectClass:       "inetOrgPerson",
+			URI:                  "ldaps://localhost:9235",
+			TLSCACert:            filepath.Join(defaults.BaseDataPath(), "idm", "ldap.crt"),
+			BindDN:               "uid=idp,ou=sysusers,o=libregraph-idm",
+			BaseDN:               "ou=users,o=libregraph-idm",
+			Scope:                "sub",
+			LoginAttribute:       "uid",
+			EmailAttribute:       "mail",
+			NameAttribute:        "displayName",
+			UUIDAttribute:        "uid",
+			UUIDAttributeType:    "text",
+			Filter:               "",
+			ObjectClass:          "inetOrgPerson",
+			UserEnabledAttribute: "ownCloudUserEnabled",
 		},
 	}
 }

services/idp/pkg/service/v0/service.go

@@ -171,9 +171,24 @@ func initCS3EnvVars(cs3Addr, machineAuthAPIKey string) error {
 // Init ldap backend vars which are currently not accessible via idp api
 func initLicoInternalLDAPEnvVars(ldap *config.Ldap) error {
 	filter := fmt.Sprintf("(objectclass=%s)", ldap.ObjectClass)
+
+	var needsAnd bool
 	if ldap.Filter != "" {
-		filter = fmt.Sprintf("(&%s%s)", ldap.Filter, filter)
+		filter += ldap.Filter
+		needsAnd = true
 	}
+
+	if ldap.UserEnabledAttribute != "" {
+		// Using a (!(enabled=FALSE)) filter here to allow user without
+		// any value for the enable flag to login
+		filter += fmt.Sprintf("(!(%s=FALSE))", ldap.UserEnabledAttribute)
+		needsAnd = true
+	}
+
+	if needsAnd {
+		filter = fmt.Sprintf("(&%s)", filter)
+	}
+
 	var defaults = map[string]string{
 		"LDAP_URI":                 ldap.URI,
 		"LDAP_BINDDN":              ldap.BindDN,