sources/ldap: check nsaccountlock for FreeIPA/389-ds (#6270)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
db4f61549d
commit
cf799fca03
|
@ -20,6 +20,7 @@ class FreeIPA(BaseLDAPSynchronizer):
|
||||||
|
|
||||||
def sync(self, attributes: dict[str, Any], user: User, created: bool):
|
def sync(self, attributes: dict[str, Any], user: User, created: bool):
|
||||||
self.check_pwd_last_set(attributes, user, created)
|
self.check_pwd_last_set(attributes, user, created)
|
||||||
|
self.check_nsaccountlock(attributes, user)
|
||||||
|
|
||||||
def check_pwd_last_set(self, attributes: dict[str, Any], user: User, created: bool):
|
def check_pwd_last_set(self, attributes: dict[str, Any], user: User, created: bool):
|
||||||
"""Check krbLastPwdChange"""
|
"""Check krbLastPwdChange"""
|
||||||
|
@ -37,3 +38,14 @@ class FreeIPA(BaseLDAPSynchronizer):
|
||||||
)
|
)
|
||||||
user.set_unusable_password()
|
user.set_unusable_password()
|
||||||
user.save()
|
user.save()
|
||||||
|
|
||||||
|
def check_nsaccountlock(self, attributes: dict[str, Any], user: User):
|
||||||
|
"""https://www.port389.org/docs/389ds/howto/howto-account-inactivation.html"""
|
||||||
|
# This is more of a 389-ds quirk rather than FreeIPA, but FreeIPA uses
|
||||||
|
# 389-ds and this will trigger regardless
|
||||||
|
if "nsaccountlock" not in attributes:
|
||||||
|
return
|
||||||
|
is_active = attributes.get("nsaccountlock", False)
|
||||||
|
if is_active != user.is_active:
|
||||||
|
user.is_active = is_active
|
||||||
|
user.save()
|
||||||
|
|
|
@ -78,5 +78,7 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer):
|
||||||
# /useraccountcontrol-manipulate-account-properties
|
# /useraccountcontrol-manipulate-account-properties
|
||||||
uac_bit = attributes.get("userAccountControl", 512)
|
uac_bit = attributes.get("userAccountControl", 512)
|
||||||
uac = UserAccountControl(uac_bit)
|
uac = UserAccountControl(uac_bit)
|
||||||
user.is_active = UserAccountControl.ACCOUNTDISABLE not in uac
|
is_active = UserAccountControl.ACCOUNTDISABLE not in uac
|
||||||
|
if is_active != user.is_active:
|
||||||
|
user.is_active = is_active
|
||||||
user.save()
|
user.save()
|
||||||
|
|
Reference in New Issue