# HG changeset patch # User bsw # Date 1612901236 -3600 # Node ID 45287f1037fbee8ad425adb3ec47aeef9b7b0be1 # Parent 15bde6a79d41f5862ce8742e619e3fd1c000a949 Support precondtions if LDAP accounts may login diff -r 15bde6a79d41 -r 45287f1037fb env/ldap/update_all_members.lua --- a/env/ldap/update_all_members.lua Tue Feb 09 17:40:50 2021 +0100 +++ b/env/ldap/update_all_members.lua Tue Feb 09 21:07:16 2021 +0100 @@ -35,6 +35,8 @@ return end + ldap.update_member_allowed(member, ldap_entry) + local err = member:try_save() if err then failure("member_try_save", err) diff -r 15bde6a79d41 -r 45287f1037fb env/ldap/update_member_allowed.lua --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/env/ldap/update_member_allowed.lua Tue Feb 09 21:07:16 2021 +0100 @@ -0,0 +1,10 @@ +function ldap.update_member_allowed(member, ldap_entry) + local allowed = config.ldap.member.allowed_map(ldap_entry) + if allowed then + member.locked = false + else + member.locked = true + member.active = false + end +end + diff -r 15bde6a79d41 -r 45287f1037fb model/member.lua --- a/model/member.lua Tue Feb 09 17:40:50 2021 +0100 +++ b/model/member.lua Tue Feb 09 21:07:16 2021 +0100 @@ -413,7 +413,6 @@ local function prepare_login_selector() local selector = self:new_selector() selector:add_field({ "now() > COALESCE(last_delegation_check, activated) + ?::interval", config.check_delegations_interval_hard }, "needs_delegation_check_hard") - selector:add_where('NOT "locked"') selector:optional_object_mode() return selector end @@ -476,12 +475,16 @@ end -- update the member attributes and privileges from LDAP - local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid) + local ldap_conn, ldap_entry, err, err2 = ldap.update_member_attr(member, nil, uid) if not err then + ldap.update_member_allowed(member, ldap_entry) local err = member:try_save() if err then return nil, "member_save_error", err end + if member.locked then + return nil, "member_locked" + end local succes, err, err2 = ldap.update_member_privileges(member, ldap_entry) if err then return nil, "update_member_privileges_error", err, err2 @@ -522,8 +525,12 @@ if config.ldap.member.cache_passwords then member:set_password(password) end - local ldap_conn, ldap_err, err, err2 = ldap.update_member_attr(member, nil, uid) + local ldap_conn, ldap_entry, err, err2 = ldap.update_member_attr(member, nil, uid) if not err then + ldap.update_member_allowed(member, ldap_entry) + if member.locked then + return nil, "member_not_allowed" + end local err = member:try_save() if err then return nil, "member_save_error", err