From 88bc5e310740b659e75889b02bbfd2eaf2ebf5d1 Mon Sep 17 00:00:00 2001 From: Addison Beck Date: Fri, 9 Aug 2024 13:34:46 -0400 Subject: [PATCH] Filter out deleted AD users unless otherwise instructed --- src/services/ldap-directory.service.ts | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/services/ldap-directory.service.ts b/src/services/ldap-directory.service.ts index baf6c20e5..1e6f31f73 100644 --- a/src/services/ldap-directory.service.ts +++ b/src/services/ldap-directory.service.ts @@ -49,7 +49,7 @@ export class LdapDirectoryService implements IDirectoryService { let users: UserEntry[]; if (this.syncConfig.users) { - users = await this.getUsers(force); + users = await this.getUsers(force, test); } let groups: GroupEntry[]; @@ -66,7 +66,7 @@ export class LdapDirectoryService implements IDirectoryService { return [groups, users]; } - private async getUsers(force: boolean): Promise { + private async getUsers(force: boolean, test: boolean): Promise { const lastSync = await this.stateService.getLastUserSync(); let filter = this.buildBaseFilter(this.syncConfig.userObjectClass, this.syncConfig.userFilter); filter = this.buildRevisionFilter(filter, force, lastSync); @@ -77,7 +77,20 @@ export class LdapDirectoryService implements IDirectoryService { const regularUsers = await this.search(path, filter, (se: any) => this.buildUser(se, false), ); - if (!this.dirConfig.ad) { + + // Active Directory has a special way of managing deleted users that + // standard LDAP does not. Users can be "tombstoned", where they cease to + // exist, or they can be "recycled" where they exist in a quarantined + // state for a period of time before being tombstoned. + // + // Essentially, recycled users are soft deleted but tombstoned users are + // hard deleted. In standard LDAP deleted users are only ever hard + // deleted. + // + // We check for recycled Active Directory users below, but only if the + // sync is a test sync or the "Overwrite existing users" flag is checked. + const ignoreDeletedUsers = !this.dirConfig.ad || (!force && !test); + if (ignoreDeletedUsers) { return regularUsers; }