unable to set user field is_active to false with property mappings

[OCram85]

Describe the bug I tried to disable users which are marked as lockedOut in the LDAP source. Therefore I use the lockoutTime property try to set the is_active user field with a property mapping:

Name: disable user when LDAP lockedOut Object field: is_active Expression:

# Debug object field: attributes.lockedOut to verify logic
# 
lockoutTime = ldap.get('lockoutTime')

if lockoutTime.timestamp() > 1:
  return True
else:
  return False

But all users are still marked as active.

To Reproduce Steps to reproduce the behavior:

• add the Property Mapping like described above
• use the mapping in the federation config / ldap source
• manually run ldap sync

Expected behavior

• Users should be disabled when ldap field lockoutTime is set.

Version and Deployment (please complete the following information):

• authentik version: 2024.6.0
• Deployment: docker-compose

[BeryJu]

Based on your comment on the other issue, when syncing against active directory, authentik uses the userAccountControl field to check if a user should be disabled (with the accountdisable flag), is this a different kind of account disable flag?

[OCram85]

I tried to resolve the mentioned issues (locked user) with this workaround. The described use cases are the same but Active Directory uses different ldap property names like lockedOut and lockoutTime to indicate a user is locked after failed auth attempts.

[OCram85]

Do you mean the userAccountControl -> https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties ?

Then I think there is an issue because the UF_LOCKOUT ( 16 ) flag doesn't work as intended:

• ref: http://www.selfadsi.de/ads-attributes/user-userAccountControl.htm