sources/ldap: fix inverted interpretation of FreeIPA nsaccountlock (cherry-pick #6877) (#6879)

sources/ldap: fix inverted interpretation of FreeIPA nsaccountlock (#6877) sources/ldap: fix inverted interpretation of nsaccountlock Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Jens L <jens@goauthentik.io>
2023-09-13 19:50:48 +02:00 · 2023-09-13 19:50:48 +02:00 · aaa9b398f4
parent d54d01b118
commit aaa9b398f4
2 changed files with 5 additions and 2 deletions
--- a/authentik/sources/ldap/sync/vendor/freeipa.py
+++ b/authentik/sources/ldap/sync/vendor/freeipa.py
@ -47,9 +47,11 @@ class FreeIPA(BaseLDAPSynchronizer):
            return
        # For some reason, nsaccountlock is not defined properly in the schema as bool
        # hence we get it as a list of strings
-        _is_active = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
+        _is_locked = str(self._flatten(attributes.get("nsaccountlock", ["FALSE"])))
        # So we have to attempt to convert it to a bool
-        is_active = _is_active.lower() == "true"
+        is_locked = _is_locked.lower() == "true"
+        # And then invert it since freeipa saves locked and we save active
+        is_active = not is_locked
        if is_active != user.is_active:
            user.is_active = is_active
            user.save()
--- a/authentik/sources/ldap/tests/test_sync.py
+++ b/authentik/sources/ldap/tests/test_sync.py
@ -137,6 +137,7 @@ class LDAPSyncTests(TestCase):
            user_sync.sync_full()
            self.assertTrue(User.objects.filter(username="user0_sn").exists())
            self.assertFalse(User.objects.filter(username="user1_sn").exists())
+            self.assertFalse(User.objects.get(username="user-nsaccountlock").is_active)

    def test_sync_groups_ad(self):
        """Test group sync"""