From d992cfc2a2a10557681b513fcd772c1c4d80cb5b Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Tue, 10 Nov 2020 09:21:21 +0100
Subject: [PATCH] Auth: support case insensitive username matching on
 LDAP+TOTP. closes https://github.com/opnsense/core/issues/4451

---
 .../mvc/app/library/OPNsense/Auth/Base.php     | 18 ++++++++++++++----
 .../mvc/app/library/OPNsense/Auth/LDAPTOTP.php | 10 ++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
index 87b13dd19..d16b335ea 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/Base.php
@@ -38,6 +38,11 @@ use OPNsense\Core\Config;
  */
 abstract class Base
 {
+    /**
+     * @var bool match usernames case insensitive
+     */
+    protected $caseInSensitiveUsernames = false;
+
     /**
      * return group memberships
      * @param string $username username to find
@@ -111,10 +116,15 @@ abstract class Base
         $configObj = Config::getInstance()->object();
         $userObject = null;
         foreach ($configObj->system->children() as $key => $value) {
-            if ($key == 'user' && !empty($value->name) && (string)$value->name == $username) {
-                // user found, stop search
-                $userObject = $value;
-                break;
+            if ($key == 'user' && !empty($value->name)) {
+                // depending on caseInSensitiveUsernames setting match exact or case-insensitive
+                if ((string)$value->name == $username ||
+                    ($this->caseInSensitiveUsernames && strtolower((string)$value->name) == strtolower($username))
+                ) {
+                    // user found, stop search
+                    $userObject = $value;
+                    break;
+                }
             }
         }
         return $userObject;
diff --git a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAPTOTP.php b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAPTOTP.php
index a9dd1c89d..57a689388 100644
--- a/src/opnsense/mvc/app/library/OPNsense/Auth/LDAPTOTP.php
+++ b/src/opnsense/mvc/app/library/OPNsense/Auth/LDAPTOTP.php
@@ -63,6 +63,9 @@ class LDAPTOTP extends LDAP
     public function setProperties($config)
     {
         parent::setProperties($config);
+        if (!empty($config['caseInSensitiveUsernames'])) {
+            $this->caseInSensitiveUsernames = true;
+        }
         $this->setTOTPProperties($config);
     }
 
@@ -73,6 +76,13 @@ class LDAPTOTP extends LDAP
     public function getConfigurationOptions()
     {
         $options = $this->getTOTPConfigurationOptions();
+        $options["caseInSensitiveUsernames"] = array();
+        $options["caseInSensitiveUsernames"]["name"] = gettext("Match case insensitive");
+        $options["caseInSensitiveUsernames"]["help"] = gettext("Allow mixed case input when gathering local user settings.");
+        $options["caseInSensitiveUsernames"]["type"] = "checkbox";
+        $options["caseInSensitiveUsernames"]["validate"] = function ($value) {
+            return array();
+        };
         return $options;
     }
 }