Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

providers/ldap: set password_change_date in check_pwd_last_set to avoid loop ending user sessions #11913

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

providers/ldap: set password_change_date in check_pwd_last_set to avoid loop ending user sessions #11913

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
ce1ae77
Set passord_change_date in check_pwd_last_set
tograss Nov 4, 2024
402967a
Merge branch 'goauthentik:main' into main
tograss Nov 4, 2024
42b0799
Refactor freeipa.py and ms_ad.py to use a common check_pwd_last_set m…
tograss Nov 7, 2024
1eb2e19
Override set_unusable_password in user model.
tograss Nov 7, 2024
e0541fe
lint
tograss Nov 7, 2024
701f85d
Ensure that during user create, the changed_password_date does not ch…
tograss Nov 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion authentik/sources/ldap/sync/vendor/freeipa.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
return
pwd_last_set: datetime = attributes.get("krbLastPwdChange", datetime.now())
pwd_last_set = pwd_last_set.replace(tzinfo=UTC)
if created or pwd_last_set >= user.password_change_date:
if created or pwd_last_set > user.password_change_date:

Check warning on line 32 in authentik/sources/ldap/sync/vendor/freeipa.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/ldap/sync/vendor/freeipa.py#L32 

Added line #L32 was not covered by tests
self.message(f"'{user.username}': Reset user's password")
self._logger.debug(
"Reset user's password",
Expand All @@ -38,6 +38,7 @@
pwd_last_set=pwd_last_set,
)
user.set_unusable_password()
user.password_change_date = pwd_last_set

Check warning on line 41 in authentik/sources/ldap/sync/vendor/freeipa.py

View check run for this annotation

Codecov / codecov/patch

authentik/sources/ldap/sync/vendor/freeipa.py#L41 

Added line #L41 was not covered by tests
tograss marked this conversation as resolved.
Show resolved Hide resolved
user.save()

def check_nsaccountlock(self, attributes: dict[str, Any], user: User):
Expand Down
3 changes: 2 additions & 1 deletion authentik/sources/ldap/sync/vendor/ms_ad.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ def ms_check_pwd_last_set(self, attributes: dict[str, Any], user: User, created:
return
pwd_last_set: datetime = attributes.get("pwdLastSet", datetime.now())
pwd_last_set = pwd_last_set.replace(tzinfo=UTC)
if created or pwd_last_set >= user.password_change_date:
if created or pwd_last_set > user.password_change_date:
self.message(f"'{user.username}': Reset user's password")
self._logger.debug(
"Reset user's password",
Expand All @@ -68,6 +68,7 @@ def ms_check_pwd_last_set(self, attributes: dict[str, Any], user: User, created:
pwd_last_set=pwd_last_set,
)
user.set_unusable_password()
user.password_change_date = pwd_last_set
user.save()

def ms_check_uac(self, attributes: dict[str, Any], user: User):
Expand Down
Loading