From d34a2a38603431bc5caa74b726a6f58d86a70530 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <andi@splitbrain.org>
Date: Tue, 22 Oct 2013 21:45:37 +0200
Subject: [PATCH] allow charset for SSO to be configured FS#2148

---
 lib/plugins/authad/auth.php             | 26 ++++++++++++++++---------
 lib/plugins/authad/conf/default.php     |  1 +
 lib/plugins/authad/conf/metadata.php    |  1 +
 lib/plugins/authad/lang/en/settings.php |  3 ++-
 4 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/lib/plugins/authad/auth.php b/lib/plugins/authad/auth.php
index fcbd2eeef..e1d758fb8 100644
--- a/lib/plugins/authad/auth.php
+++ b/lib/plugins/authad/auth.php
@@ -92,16 +92,24 @@ class auth_plugin_authad extends DokuWiki_Auth_Plugin {
         }
 
         // Prepare SSO
-        if(!utf8_check($_SERVER['REMOTE_USER'])) {
-            $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']);
-        }
-        if($_SERVER['REMOTE_USER'] && $this->conf['sso']) {
-            $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']);
+        if(!empty($_SERVER['REMOTE_USER'])) {
+
+            // make sure the right encoding is used
+            if($this->getConf('sso_charset')) {
+                $_SERVER['REMOTE_USER'] = iconv($this->getConf('sso_charset'), 'UTF-8', $_SERVER['REMOTE_USER']);
+            } elseif(!utf8_check($_SERVER['REMOTE_USER'])) {
+                $_SERVER['REMOTE_USER'] = utf8_encode($_SERVER['REMOTE_USER']);
+            }
 
-            // we need to simulate a login
-            if(empty($_COOKIE[DOKU_COOKIE])) {
-                $INPUT->set('u', $_SERVER['REMOTE_USER']);
-                $INPUT->set('p', 'sso_only');
+            // trust the incoming user
+            if($this->conf['sso']) {
+                $_SERVER['REMOTE_USER'] = $this->cleanUser($_SERVER['REMOTE_USER']);
+
+                // we need to simulate a login
+                if(empty($_COOKIE[DOKU_COOKIE])) {
+                    $INPUT->set('u', $_SERVER['REMOTE_USER']);
+                    $INPUT->set('p', 'sso_only');
+                }
             }
         }
 
diff --git a/lib/plugins/authad/conf/default.php b/lib/plugins/authad/conf/default.php
index f71202cfc..6fb4c9145 100644
--- a/lib/plugins/authad/conf/default.php
+++ b/lib/plugins/authad/conf/default.php
@@ -4,6 +4,7 @@ $conf['account_suffix']     = '';
 $conf['base_dn']            = '';
 $conf['domain_controllers'] = '';
 $conf['sso']                = 0;
+$conf['sso_charset']        = '';
 $conf['admin_username']     = '';
 $conf['admin_password']     = '';
 $conf['real_primarygroup']  = 0;
diff --git a/lib/plugins/authad/conf/metadata.php b/lib/plugins/authad/conf/metadata.php
index 7b4f895d0..560d25315 100644
--- a/lib/plugins/authad/conf/metadata.php
+++ b/lib/plugins/authad/conf/metadata.php
@@ -4,6 +4,7 @@ $meta['account_suffix']     = array('string','_caution' => 'danger');
 $meta['base_dn']            = array('string','_caution' => 'danger');
 $meta['domain_controllers'] = array('string','_caution' => 'danger');
 $meta['sso']                = array('onoff','_caution' => 'danger');
+$meta['sso_charset']        = array('string','_caution' => 'danger');
 $meta['admin_username']     = array('string','_caution' => 'danger');
 $meta['admin_password']     = array('password','_caution' => 'danger');
 $meta['real_primarygroup']  = array('onoff','_caution' => 'danger');
diff --git a/lib/plugins/authad/lang/en/settings.php b/lib/plugins/authad/lang/en/settings.php
index aff49550b..92e9ac4e8 100644
--- a/lib/plugins/authad/lang/en/settings.php
+++ b/lib/plugins/authad/lang/en/settings.php
@@ -6,7 +6,8 @@ $lang['domain_controllers'] = 'A comma separated list of Domain controllers. Eg.
 $lang['admin_username']     = 'A privileged Active Directory user with access to all other user\'s data. Optional, but needed for certain actions like sending subscription mails.';
 $lang['admin_password']     = 'The password of the above user.';
 $lang['sso']                = 'Should Single-Sign-On via Kerberos or NTLM be used?';
-$lang['real_primarygroup']  = 'Should the real primary group be resolved instead of assuming "Domain Users" (slower)';
+$lang['sso_charset']        = 'The charset your webserver will pass the Kerberos or NTLM username in. Empty for UTF-8 or latin-1. Requires the iconv extension.';
+$lang['real_primarygroup']  = 'Should the real primary group be resolved instead of assuming "Domain Users" (slower).';
 $lang['use_ssl']            = 'Use SSL connection? If used, do not enable TLS below.';
 $lang['use_tls']            = 'Use TLS connection? If used, do not enable SSL above.';
 $lang['debug']              = 'Display additional debugging output on errors?';
-- 
GitLab