Module: check_mk
Branch: master
Commit: a7f24c230f67220e9ba7c3eb01f85e750d142027
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=a7f24c230f6722…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Oct 17 16:17:24 2018 +0200
5957 FIX LDAP: Locking of users using "Authentication Expiration" plugin was not
unlocking users
The LDAP sync can lock users in Check_MK based on their locking property in the Active
Directory.
When a user was locked in AD and Check_MK performed the next sync, the user login was
disabled.
The inverse operation was not working.
Unlocking previously locked users has now been implemented correctly. Another change is,
that
the locking property in Check_MK is now read-only for LDAP users.
Change-Id: I124a45ffde266358b80b55e1414ee0b8c84813f9
---
.werks/5957 | 16 ++++++++++++++++
cmk/gui/plugins/userdb/ldap_connector.py | 10 +++++++++-
2 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/.werks/5957 b/.werks/5957
new file mode 100644
index 0000000..15a69cb
--- /dev/null
+++ b/.werks/5957
@@ -0,0 +1,16 @@
+Title: LDAP: Locking of users using "Authentication Expiration" plugin was not
unlocking users
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.6.0i1
+Date: 1523264693
+
+The LDAP sync can lock users in Check_MK based on their locking property in the Active
Directory.
+When a user was locked in AD and Check_MK performed the next sync, the user login was
disabled.
+The inverse operation was not working.
+
+Unlocking previously locked users has now been implemented correctly. Another change is,
that
+the locking property in Check_MK is now read-only for LDAP users.
diff --git a/cmk/gui/plugins/userdb/ldap_connector.py
b/cmk/gui/plugins/userdb/ldap_connector.py
index 44fe9e8..0b8e3cd 100644
--- a/cmk/gui/plugins/userdb/ldap_connector.py
+++ b/cmk/gui/plugins/userdb/ldap_connector.py
@@ -1925,11 +1925,18 @@ def ldap_sync_auth_expire(connection, plugin, params, user_id,
ldap_user, user):
# Special handling for active directory: Is the user enabled / disabled?
if connection.is_active_directory() and ldap_user.get('useraccountcontrol'):
# see
http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm for
details
- if int(ldap_user['useraccountcontrol'][0]) & 2 and not
user.get("locked", False):
+ locked_in_ad = saveint(ldap_user['useraccountcontrol'][0]) & 2
+ locked_in_cmk = user.get("locked", False)
+
+ if locked_in_ad and not locked_in_cmk:
return {
'locked': True,
'serial': user.get('serial', 0) + 1,
}
+ elif not locked_in_ad and locked_in_cmk:
+ return {
+ 'locked': False,
+ }
changed_attr = params.get('attr',
connection.ldap_attr('pw_changed')).lower()
if not changed_attr in ldap_user:
@@ -1969,6 +1976,7 @@ ldap_attribute_plugins['auth_expire'] = {
'the password has changed in LDAP or the account has
been locked.'),
'needed_attributes' : ldap_needed_attributes_auth_expire,
'sync_func' : ldap_sync_auth_expire,
+ 'lock_attributes' : ['locked'],
# When a plugin introduces new user attributes, it should declare the output target
for
# this attribute. It can either be written to the multisites users.mk or the
check_mk
# contacts.mk to be forwarded to nagios. Undeclared attributes are stored in the
check_mk