sources/ldap: check nsaccountlock for FreeIPA/389-ds (#6270)
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
parent
db4f61549d
commit
cf799fca03
|
@ -20,6 +20,7 @@ class FreeIPA(BaseLDAPSynchronizer):
|
|||
|
||||
def sync(self, attributes: dict[str, Any], user: User, created: bool):
|
||||
self.check_pwd_last_set(attributes, user, created)
|
||||
self.check_nsaccountlock(attributes, user)
|
||||
|
||||
def check_pwd_last_set(self, attributes: dict[str, Any], user: User, created: bool):
|
||||
"""Check krbLastPwdChange"""
|
||||
|
@ -37,3 +38,14 @@ class FreeIPA(BaseLDAPSynchronizer):
|
|||
)
|
||||
user.set_unusable_password()
|
||||
user.save()
|
||||
|
||||
def check_nsaccountlock(self, attributes: dict[str, Any], user: User):
|
||||
"""https://www.port389.org/docs/389ds/howto/howto-account-inactivation.html"""
|
||||
# This is more of a 389-ds quirk rather than FreeIPA, but FreeIPA uses
|
||||
# 389-ds and this will trigger regardless
|
||||
if "nsaccountlock" not in attributes:
|
||||
return
|
||||
is_active = attributes.get("nsaccountlock", False)
|
||||
if is_active != user.is_active:
|
||||
user.is_active = is_active
|
||||
user.save()
|
||||
|
|
|
@ -78,5 +78,7 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer):
|
|||
# /useraccountcontrol-manipulate-account-properties
|
||||
uac_bit = attributes.get("userAccountControl", 512)
|
||||
uac = UserAccountControl(uac_bit)
|
||||
user.is_active = UserAccountControl.ACCOUNTDISABLE not in uac
|
||||
is_active = UserAccountControl.ACCOUNTDISABLE not in uac
|
||||
if is_active != user.is_active:
|
||||
user.is_active = is_active
|
||||
user.save()
|
||||
|
|
Reference in New Issue