authentik icon indicating copy to clipboard operation
authentik copied to clipboard
verified publisher icon goauthentik

unable to set user field is_active to false with property mappings

Open OCram85 opened this issue 1 year ago • 7 comments

Describe the bug I tried to disable users which are marked as lockedOut in the LDAP source. Therefore I use the lockoutTime property try to set the is_active user field with a property mapping:

Name: disable user when LDAP lockedOut Object field: is_active Expression:

# Debug object field: attributes.lockedOut to verify logic
# 
lockoutTime = ldap.get('lockoutTime')

if lockoutTime.timestamp() > 1:
  return True
else:
  return False

But all users are still marked as active.

To Reproduce Steps to reproduce the behavior:

  • add the Property Mapping like described above
  • use the mapping in the federation config / ldap source
  • manually run ldap sync

Expected behavior

  • Users should be disabled when ldap field lockoutTime is set.

Version and Deployment (please complete the following information):

  • authentik version: 2024.6.0
  • Deployment: docker-compose

OCram85 avatar Jul 10 '24 13:07 OCram85

Based on your comment on the other issue, when syncing against active directory, authentik uses the userAccountControl field to check if a user should be disabled (with the accountdisable flag), is this a different kind of account disable flag?

BeryJu avatar Jul 10 '24 13:07 BeryJu

I tried to resolve the mentioned issues (locked user) with this workaround. The described use cases are the same but Active Directory uses different ldap property names like lockedOut and lockoutTime to indicate a user is locked after failed auth attempts.

OCram85 avatar Jul 10 '24 14:07 OCram85

Do you mean the userAccountControl -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties ?

Then I think there is an issue because the UF_LOCKOUT ( 16 ) flag doesn't work as intended:

  • ref: http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm

image

OCram85 avatar Jul 11 '24 04:07 OCram85

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

authentik-automation[bot] avatar Sep 10 '24 01:09 authentik-automation[bot]

Still unsure if it's possible to set the is_active user property field with a custom property mapping like this:

  • LDAP Property Name: disable user if lockedOut is set
  • Object field: is_active
  • Expression:
lockoutTime = ldap.get('lockoutTime')

if lockoutTime.timestamp() > 1:
  return True
else:
  return False

OCram85 avatar Sep 10 '24 07:09 OCram85

I'm on version 2024.8.2 and the following is working for me:

is_active = False
suspended = list_flatten(ldap.get("suspended"))
if isinstance(suspended, str):
  if suspended == "false":
    is_active = True
elif isinstance(suspended, bool):
  is_active = not suspended
return {
  "is_active": is_active
}

I've had a hard time getting it working, as the test interface was showing the correct result, but during a sync it was wrong. That's why I've added the test for a String or Boolean in there.

This will result in boolean data during testing the property mapping:

ldap:
  suspended: false

and this will be a string (as it's returned by LDAP:

ldap:
  suspended: "false"

As I don't want to be confused, I've added both ways. :)

Maybe this will help someone. It's possible to set is_active. At least in the newest release.

saz avatar Sep 19 '24 13:09 saz

When syncing from Active directory, is_active is always set from userAccountControl, with a higher priority than property mappings. As mentioned above, this check currently does not check for UF_LOCKOUT: https://github.com/goauthentik/authentik/blob/main/authentik/sources/ldap/sync/vendor/ms_ad.py#L81

BeryJu avatar Sep 26 '24 16:09 BeryJu