Open OCram85 opened 2 weeks ago
Based on your comment on the other issue, when syncing against active directory, authentik uses the userAccountControl
field to check if a user should be disabled (with the accountdisable flag), is this a different kind of account disable flag?
I tried to resolve the mentioned issues (locked user) with this workaround.
The described use cases are the same but Active Directory uses different ldap property names like lockedOut
and lockoutTime
to indicate a user is locked after failed auth attempts.
Do you mean the userAccountControl
-> https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties ?
Then I think there is an issue because the UF_LOCKOUT ( 16 )
flag doesn't work as intended:
Describe the bug I tried to disable users which are marked as
lockedOut
in the LDAP source. Therefore I use thelockoutTime
property try to set theis_active
user field with a property mapping:Name: disable user when LDAP lockedOut Object field:
is_active
Expression:But all users are still marked as active.
To Reproduce Steps to reproduce the behavior:
Expected behavior
lockoutTime
is set.Version and Deployment (please complete the following information):