From 58aa7ec62390b13469e43098078343fed2fa1b62 Mon Sep 17 00:00:00 2001 From: Jens L Date: Wed, 13 Sep 2023 15:43:59 +0200 Subject: [PATCH] sources/ldap: fix inverted interpretation of FreeIPA nsaccountlock (#6877) sources/ldap: fix inverted interpretation of nsaccountlock Signed-off-by: Jens Langhammer --- authentik/sources/ldap/sync/vendor/freeipa.py | 6 ++++-- authentik/sources/ldap/tests/test_sync.py | 1 + 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/authentik/sources/ldap/sync/vendor/freeipa.py b/authentik/sources/ldap/sync/vendor/freeipa.py index 8ac6361a1..fd42c001c 100644 --- a/authentik/sources/ldap/sync/vendor/freeipa.py +++ b/authentik/sources/ldap/sync/vendor/freeipa.py @@ -47,9 +47,11 @@ class FreeIPA(BaseLDAPSynchronizer): return # For some reason, nsaccountlock is not defined properly in the schema as bool # hence we get it as a list of strings - _is_active = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"]))) + _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"]))) # So we have to attempt to convert it to a bool - is_active = _is_active.lower() == "true" + is_locked = _is_locked.lower() == "true" + # And then invert it since freeipa saves locked and we save active + is_active = not is_locked if is_active != user.is_active: user.is_active = is_active user.save() diff --git a/authentik/sources/ldap/tests/test_sync.py b/authentik/sources/ldap/tests/test_sync.py index 5fbfd553d..9e88735cf 100644 --- a/authentik/sources/ldap/tests/test_sync.py +++ b/authentik/sources/ldap/tests/test_sync.py @@ -137,6 +137,7 @@ class LDAPSyncTests(TestCase): user_sync.sync_full() self.assertTrue(User.objects.filter(username="user0_sn").exists()) self.assertFalse(User.objects.filter(username="user1_sn").exists()) + self.assertFalse(User.objects.get(username="user-nsaccountlock").is_active) def test_sync_groups_ad(self): """Test group sync"""