Module: check_mk
Branch: master
Commit: e9da7004446736f7dfa6142c6533f3f6ffc5d7b7
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e9da7004446736…
Author: Götz Golla <gg(a)mathias-kettner.de>
Date: Tue Jan 21 12:26:25 2014 +0100
FIX recurring updates of serial numbers of disabled ldap users fixed
If a user is disabled in LDAP, it gets locked in multisite and its serial number
is increased, so that the user gets kicked out. Before this change the serial
number was increased in every following sync. Now the serial number is only
increased the first time a disabled user is synced.
---
.werks/569 | 12 ++++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 2 +-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/.werks/569 b/.werks/569
new file mode 100644
index 0000000..b8cddda
--- /dev/null
+++ b/.werks/569
@@ -0,0 +1,12 @@
+Title: recurring updates of serial numbers of disabled ldap users fixed
+Level: 2
+Component: multisite
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1390303011
+
+If a user is disabled in LDAP, it gets locked in multisite and its serial number
+is increased, so that the user gets kicked out. Before this change the serial
+number was increased in every following sync. Now the serial number is only
+increased the first time a disabled user is synced.
diff --git a/ChangeLog b/ChangeLog
index 2a51fe1..8b7d41c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -138,6 +138,7 @@
* 0425 FIX: Fix login loop bug in distributed environments with different auth
secrets
* 0117 FIX: Availability button is now visible for users without the right to edit
views
* 0431 FIX: LDAP: Fixed group syncrhonisation when nested group sync is enabled
+ * 0569 FIX: recurring updates of serial numbers of disabled ldap users fixed...
WATO:
* 0308 Multisite can now set rotation view permissions for NagVis...
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 3ba05d5..416902e 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -738,7 +738,7 @@ def ldap_convert_auth_expire(plugin, params, user_id, ldap_user,
user):
# Special handling for active directory: Is the user enabled / disabled?
if config.ldap_connection['type'] == 'ad' and
ldap_user.get('useraccountcontrol'):
# see
http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm for
details
- if saveint(ldap_user['useraccountcontrol'][0]) & 2:
+ if saveint(ldap_user['useraccountcontrol'][0]) & 2 and not
user.get("locked", False):
return {
'locked': True,
'serial': user.get('serial', 0) + 1,