sources/ldap: check pwdLastSet when syncing Users

This commit is contained in:
Jens Langhammer 2021-03-02 21:05:00 +01:00
parent 74d240dfd4
commit e8c9b70ae8

View file

@ -1,7 +1,10 @@
"""Sync LDAP Users into authentik"""
from datetime import datetime
import ldap3
import ldap3.core.exceptions
from django.db.utils import IntegrityError
from pytz import UTC
from authentik.core.models import User
from authentik.sources.ldap.sync.base import LDAP_UNIQUENESS, BaseLDAPSynchronizer
@ -53,11 +56,21 @@ class UserLDAPSynchronizer(BaseLDAPSynchronizer):
)
)
else:
if created:
ak_user.set_unusable_password()
ak_user.save()
self._logger.debug(
"Synced User", user=ak_user.username, created=created
)
user_count += 1
# pylint: disable=no-value-for-parameter
pwd_last_set = UTC.localize(
attributes.get("pwdLastSet", datetime.now())
)
if created or pwd_last_set >= ak_user.password_change_date:
self._logger.debug(
"Reset user's password",
user=ak_user.username,
created=created,
pwd_last_set=pwd_last_set,
)
ak_user.set_unusable_password()
ak_user.save()
return user_count