Add new config option to disable automatic creation of LDAP accounts

5 files changed, 25 insertions, 2 deletions

diff --git a/app/Auth/Ldap.php b/app/Auth/Ldap.php
index 3ee6ec9b..c1459b4e 100644
--- a/app/Auth/Ldap.php
+++ b/app/Auth/Ldap.php
@@ -46,7 +46,7 @@ class Ldap extends Base
             else {
 
                 // We create automatically a new user
-                if ($this->createUser($username, $result['name'], $result['email'])) {
+                if (LDAP_ACCOUNT_CREATION && $this->createUser($username, $result['name'], $result['email'])) {
                     $user = $this->user->getByUsername($username);
                 }
                 else {
diff --git a/app/constants.php b/app/constants.php
index 7270db23..83fba468 100644
--- a/app/constants.php
+++ b/app/constants.php
@@ -35,6 +35,7 @@ defined('LDAP_ACCOUNT_FULLNAME') or define('LDAP_ACCOUNT_FULLNAME', 'displayname
 defined('LDAP_ACCOUNT_EMAIL') or define('LDAP_ACCOUNT_EMAIL', 'mail');
 defined('LDAP_ACCOUNT_ID') or define('LDAP_ACCOUNT_ID', '');
 defined('LDAP_USERNAME_CASE_SENSITIVE') or define('LDAP_USERNAME_CASE_SENSITIVE', false);
+defined('LDAP_ACCOUNT_CREATION') or define('LDAP_ACCOUNT_CREATION', true);
 
 // Google authentication
 defined('GOOGLE_AUTH') or define('GOOGLE_AUTH', false);
diff --git a/config.default.php b/config.default.php
index 38453455..c392dcad 100644
--- a/config.default.php
+++ b/config.default.php
@@ -109,6 +109,9 @@ define('LDAP_ACCOUNT_ID', 'samaccountname');
 // Set to true if you want to preserve the case
 define('LDAP_USERNAME_CASE_SENSITIVE', false);
 
+// Automatically create user account
+define('LDAP_ACCOUNT_CREATION', true);
+
 // Enable/disable Google authentication
 define('GOOGLE_AUTH', false);
 
diff --git a/docs/config.markdown b/docs/config.markdown
index aca605ca..45ba7a91 100644
--- a/docs/config.markdown
+++ b/docs/config.markdown
@@ -135,6 +135,9 @@ define('LDAP_ACCOUNT_ID', 'samaccountname');
 // By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
 // Set to true if you want to preserve the case
 define('LDAP_USERNAME_CASE_SENSITIVE', false);
+
+// Automatically create user account
+define('LDAP_ACCOUNT_CREATION', true);
 ```
 
 Google Authentication settings
diff --git a/docs/ldap-authentication.markdown b/docs/ldap-authentication.markdown
index 2428194d..8c7e5ff5 100644
--- a/docs/ldap-authentication.markdown
+++ b/docs/ldap-authentication.markdown
@@ -17,7 +17,7 @@ When the LDAP authentication is activated, the login process work like that:
 
 1. Try first to authenticate the user by using the database
 2. If the user is not found inside the database, a LDAP authentication is performed
-3. If the LDAP authentication is successful, a local user is created automatically with no password and marked as LDAP user.
+3. If the LDAP authentication is successful, by default a local user is created automatically with no password and marked as LDAP user.
 
 ### Differences between a local user and a LDAP user are the following:
 
@@ -85,6 +85,22 @@ define('LDAP_ACCOUNT_ID', 'samaccountname');
 // By default Kanboard lowercase the ldap username to avoid duplicate users (the database is case sensitive)
 // Set to true if you want to preserve the case
 define('LDAP_USERNAME_CASE_SENSITIVE', false);
+
+// Automatically create user account
+define('LDAP_ACCOUNT_CREATION', true);
+```
+
+### Disable automatic account creation
+
+By default, Kanboard will create automatically a user account if nothing is found.
+
+You can disable this behavior if you prefer to create user accounts manually to restrict Kanboard to only some people.
+
+Just change the value of `LDAP_ACCOUNT_CREATION` to `false`:
+
+```php
+// Automatically create user account
+define('LDAP_ACCOUNT_CREATION', false);
 ```
 
 ### LDAP bind type