Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filter out deleted AD users unless otherwise instructed #548

Merged
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 16 additions & 3 deletions src/services/ldap-directory.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ export class LdapDirectoryService implements IDirectoryService {

let users: UserEntry[];
if (this.syncConfig.users) {
users = await this.getUsers(force);
users = await this.getUsers(force, test);
}

let groups: GroupEntry[];
Expand All @@ -66,7 +66,7 @@ export class LdapDirectoryService implements IDirectoryService {
return [groups, users];
}

private async getUsers(force: boolean): Promise<UserEntry[]> {
private async getUsers(force: boolean, test: boolean): Promise<UserEntry[]> {
const lastSync = await this.stateService.getLastUserSync();
let filter = this.buildBaseFilter(this.syncConfig.userObjectClass, this.syncConfig.userFilter);
filter = this.buildRevisionFilter(filter, force, lastSync);
Expand All @@ -77,7 +77,20 @@ export class LdapDirectoryService implements IDirectoryService {
const regularUsers = await this.search<UserEntry>(path, filter, (se: any) =>
this.buildUser(se, false),
);
if (!this.dirConfig.ad) {

// Active Directory has a special way of managing deleted users that
// standard LDAP does not. Users can be "tombstoned", where they cease to
// exist, or they can be "recycled" where they exist in a quarantined
// state for a period of time before being tombstoned.
//
// Essentially, recycled users are soft deleted but tombstoned users are
// hard deleted. In standard LDAP deleted users are only ever hard
// deleted.
//
// We check for recycled Active Directory users below, but only if the
// sync is a test sync or the "Overwrite existing users" flag is checked.
const ignoreDeletedUsers = !this.dirConfig.ad || (!force && !test);
if (ignoreDeletedUsers) {
return regularUsers;
}

Expand Down
Loading