From 03369e2338e548f9d7f5857413be384ef7daf3be Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 19 Oct 2021 15:40:30 +0200 Subject: [PATCH] sources/ldap: check for existence of vendor fields before falling back Signed-off-by: Jens Langhammer #1521 --- authentik/sources/ldap/sync/vendor/freeipa.py | 2 ++ authentik/sources/ldap/sync/vendor/ms_ad.py | 15 ++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/authentik/sources/ldap/sync/vendor/freeipa.py b/authentik/sources/ldap/sync/vendor/freeipa.py index 525efc0a5..2eca55686 100644 --- a/authentik/sources/ldap/sync/vendor/freeipa.py +++ b/authentik/sources/ldap/sync/vendor/freeipa.py @@ -16,6 +16,8 @@ class FreeIPA(BaseLDAPSynchronizer): def check_pwd_last_set(self, attributes: dict[str, Any], user: User, created: bool): """Check krbLastPwdChange""" + if "krbLastPwdChange" not in attributes: + return pwd_last_set: datetime = attributes.get("krbLastPwdChange", datetime.now()) pwd_last_set = pwd_last_set.replace(tzinfo=UTC) if created or pwd_last_set >= user.password_change_date: diff --git a/authentik/sources/ldap/sync/vendor/ms_ad.py b/authentik/sources/ldap/sync/vendor/ms_ad.py index a10fbf6e0..4effdc743 100644 --- a/authentik/sources/ldap/sync/vendor/ms_ad.py +++ b/authentik/sources/ldap/sync/vendor/ms_ad.py @@ -48,6 +48,8 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer): def ms_check_pwd_last_set(self, attributes: dict[str, Any], user: User, created: bool): """Check pwdLastSet""" + if "pwdLastSet" not in attributes: + return pwd_last_set: datetime = attributes.get("pwdLastSet", datetime.now()) pwd_last_set = pwd_last_set.replace(tzinfo=UTC) if created or pwd_last_set >= user.password_change_date: @@ -63,8 +65,11 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer): def ms_check_uac(self, attributes: dict[str, Any], user: User): """Check userAccountControl""" - if uac_bit := attributes.get("userAccountControl", None): - # uac_bit: int = attributes.get("userAccountControl") - uac = UserAccountControl(uac_bit) - user.is_active = UserAccountControl.ACCOUNTDISABLE not in uac - user.save() + if "userAccountControl" not in attributes: + return + # Default from https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity + # /useraccountcontrol-manipulate-account-properties + uac_bit = attributes.get("userAccountControl", 512) + uac = UserAccountControl(uac_bit) + user.is_active = UserAccountControl.ACCOUNTDISABLE not in uac + user.save()