From 03369e2338e548f9d7f5857413be384ef7daf3be Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Tue, 19 Oct 2021 15:40:30 +0200
Subject: [PATCH] sources/ldap: check for existence of vendor fields before
 falling back

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1521
---
 authentik/sources/ldap/sync/vendor/freeipa.py |  2 ++
 authentik/sources/ldap/sync/vendor/ms_ad.py   | 15 ++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/authentik/sources/ldap/sync/vendor/freeipa.py b/authentik/sources/ldap/sync/vendor/freeipa.py
index 525efc0a5..2eca55686 100644
--- a/authentik/sources/ldap/sync/vendor/freeipa.py
+++ b/authentik/sources/ldap/sync/vendor/freeipa.py
@@ -16,6 +16,8 @@ class FreeIPA(BaseLDAPSynchronizer):
 
     def check_pwd_last_set(self, attributes: dict[str, Any], user: User, created: bool):
         """Check krbLastPwdChange"""
+        if "krbLastPwdChange" not in attributes:
+            return
         pwd_last_set: datetime = attributes.get("krbLastPwdChange", datetime.now())
         pwd_last_set = pwd_last_set.replace(tzinfo=UTC)
         if created or pwd_last_set >= user.password_change_date:
diff --git a/authentik/sources/ldap/sync/vendor/ms_ad.py b/authentik/sources/ldap/sync/vendor/ms_ad.py
index a10fbf6e0..4effdc743 100644
--- a/authentik/sources/ldap/sync/vendor/ms_ad.py
+++ b/authentik/sources/ldap/sync/vendor/ms_ad.py
@@ -48,6 +48,8 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer):
 
     def ms_check_pwd_last_set(self, attributes: dict[str, Any], user: User, created: bool):
         """Check pwdLastSet"""
+        if "pwdLastSet" not in attributes:
+            return
         pwd_last_set: datetime = attributes.get("pwdLastSet", datetime.now())
         pwd_last_set = pwd_last_set.replace(tzinfo=UTC)
         if created or pwd_last_set >= user.password_change_date:
@@ -63,8 +65,11 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer):
 
     def ms_check_uac(self, attributes: dict[str, Any], user: User):
         """Check userAccountControl"""
-        if uac_bit := attributes.get("userAccountControl", None):
-            # uac_bit: int = attributes.get("userAccountControl")
-            uac = UserAccountControl(uac_bit)
-            user.is_active = UserAccountControl.ACCOUNTDISABLE not in uac
-            user.save()
+        if "userAccountControl" not in attributes:
+            return
+        # Default from https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity
+        #   /useraccountcontrol-manipulate-account-properties
+        uac_bit = attributes.get("userAccountControl", 512)
+        uac = UserAccountControl(uac_bit)
+        user.is_active = UserAccountControl.ACCOUNTDISABLE not in uac
+        user.save()