From e8c9b70ae8f26624923caec4dc080d06e538b1f9 Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 2 Mar 2021 21:05:00 +0100
Subject: [PATCH] sources/ldap: check pwdLastSet when syncing Users

---
 authentik/sources/ldap/sync/users.py | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/authentik/sources/ldap/sync/users.py b/authentik/sources/ldap/sync/users.py
index 37031b037..703da2f31 100644
--- a/authentik/sources/ldap/sync/users.py
+++ b/authentik/sources/ldap/sync/users.py
@@ -1,7 +1,10 @@
 """Sync LDAP Users into authentik"""
+from datetime import datetime
+
 import ldap3
 import ldap3.core.exceptions
 from django.db.utils import IntegrityError
+from pytz import UTC
 
 from authentik.core.models import User
 from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
@@ -53,11 +56,21 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
                     )
                 )
             else:
-                if created:
-                    ak_user.set_unusable_password()
-                    ak_user.save()
                 self._logger.debug(
                     "Synced User", user=ak_user.username, created=created
                 )
                 user_count += 1
+                # pylint: disable=no-value-for-parameter
+                pwd_last_set = UTC.localize(
+                    attributes.get("pwdLastSet", datetime.now())
+                )
+                if created or pwd_last_set >= ak_user.password_change_date:
+                    self._logger.debug(
+                        "Reset user's password",
+                        user=ak_user.username,
+                        created=created,
+                        pwd_last_set=pwd_last_set,
+                    )
+                    ak_user.set_unusable_password()
+                    ak_user.save()
         return user_count