auto create account, sync ldap disabled flag

2025-09-13 14:31:15 +00:00 · 2020-11-16 22:39:41 +01:00
parent 1dee239f4f
commit 7b651da1d7
8 changed files with 106 additions and 20 deletions
--- a/internal/ldap/authentication.go
+++ b/internal/ldap/authentication.go
@@ -63,7 +63,7 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri
 		a.Cfg.BaseDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
 		fmt.Sprintf("(&(objectClass=organizationalPerson)(%s=%s))", userIdentifier, username),
-		[]string{"dn"},
+		[]string{"dn", "userAccountControl"},
 		nil,
 	)

@@ -78,6 +78,12 @@ func (a Authentication) CheckCustomLogin(userIdentifier, username, password stri

 	userDN := sr.Entries[0].DN

+	// Check if user is disabled, if so deny login
+	uac := sr.Entries[0].GetAttributeValue("userAccountControl")
+	if uac != "" && IsLdapUserDisabled(uac) {
+		return false
+	}
+
 	// Bind as the user to verify their password
 	err = client.Bind(userDN, password)
 	if err != nil {
--- a/internal/ldap/usercache.go
+++ b/internal/ldap/usercache.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"fmt"
 	"sort"
+	"strconv"
 	"strings"
 	"sync"
 	"time"
@@ -214,7 +215,7 @@ func NewUserCache(config Config, store UserCacheHolder) *UserCache {
 	}

 	log.Infof("Filling user cache...")
-	err := uc.Update(true)
+	err := uc.Update(true, true)
 	log.Infof("User cache filled!")
 	uc.LastError = err

@@ -250,7 +251,7 @@ func (u UserCache) close(conn *ldap.Conn) {
 }

 // Update updates the user cache in background, minimal locking will happen
-func (u *UserCache) Update(filter bool) error {
+func (u *UserCache) Update(filter, withDisabledUsers bool) error {
 	log.Debugf("Updating ldap cache...")
 	client, err := u.open()
 	if err != nil {
@@ -290,8 +291,8 @@ func (u *UserCache) Update(filter bool) error {
 				continue // prefilter...
 			}

-			if userAccountControl == "" || userAccountControl == "514" {
-				continue // 514 means account is disabled
+			if !withDisabledUsers && userAccountControl != "" && IsLdapUserDisabled(userAccountControl) {
+				continue
 			}

 			if entry.DN != dn {
@@ -323,3 +324,15 @@ func (u *UserCache) Update(filter bool) error {

 	return nil
 }
+
+func IsLdapUserDisabled(userAccountControl string) bool {
+	uacInt, err := strconv.Atoi(userAccountControl)
+	if err != nil {
+		return true
+	}
+	if int32(uacInt)&0x2 != 0 {
+		return true // bit 2 set means account is disabled
+	}
+
+	return false
+}