diff --git a/crates/defguard_core/src/enterprise/ldap/client.rs b/crates/defguard_core/src/enterprise/ldap/client.rs index 0181799d5f..5e57cdf625 100644 --- a/crates/defguard_core/src/enterprise/ldap/client.rs +++ b/crates/defguard_core/src/enterprise/ldap/client.rs @@ -210,7 +210,7 @@ impl super::LDAPConnection { // dn: user map let dn_map = all_ldap_users .iter() - .map(|u| (self.config.user_dn_from_user(u), u)) + .map(|u| (self.config.user_dn_from_user(u).to_lowercase(), u)) .collect::>(); for entry in membership_entries.iter_mut() { @@ -224,7 +224,7 @@ impl super::LDAPConnection { let members = members .iter() .filter_map(|v| { - if let Some(user) = dn_map.get(v.as_str()) { + if let Some(user) = dn_map.get(v.to_lowercase().as_str()) { Some(*user) } else { debug!( diff --git a/crates/defguard_core/src/enterprise/ldap/mod.rs b/crates/defguard_core/src/enterprise/ldap/mod.rs index c92ff9ce9d..54c33b977f 100644 --- a/crates/defguard_core/src/enterprise/ldap/mod.rs +++ b/crates/defguard_core/src/enterprise/ldap/mod.rs @@ -344,24 +344,31 @@ impl LDAPConnection { pool: &PgPool, ) -> Result<(), LdapError> { debug!("Updating users state in LDAP"); - let transaction = pool.begin().await?; for user in users { + let user_sync_allowed = user.ldap_sync_allowed(pool).await?; let user_exists_in_ldap = self.user_exists(user).await?; let user_groups = user.member_of_names(pool).await?; - let user_sync_allowed = user.ldap_sync_allowed(pool).await?; + let user_in_sync_groups = self.user_in_ldap_sync_groups(user).await?; // User is disabled in Defguard // If they exist in LDAP, remove them - if !user.is_active && user_exists_in_ldap { + // Don't use "user_sync_allowed" here as it will never execute if the user is disabled + // We are interested in the user changing the state from active to disabled + if user_in_sync_groups && user.is_enrolled() && !user.is_active && user_exists_in_ldap { debug!("User {user} is disabled in Defguard, removing from LDAP"); self.delete_user(user).await?; continue; } + if !user_sync_allowed { + debug!("User {user} is not allowed to be synced, skipping"); + continue; + } + // No sync groups defined or user already belongs to them, // Add the user if they don't exist in LDAP already but are active in Defguard - if user_sync_allowed && !user_exists_in_ldap { + if !user_exists_in_ldap { debug!("User {user} is not in LDAP, adding to LDAP"); self.add_user(user, None, pool).await?; for group in user_groups { @@ -372,17 +379,16 @@ impl LDAPConnection { // We may bring user into the synchronization scope, sync his data (email, groups, etc.) based on // the authority - if user_sync_allowed && user_exists_in_ldap { + if user_exists_in_ldap { debug!( "User {user} is in LDAP and is allowed to be synced, synchronizing his data" ); self.sync_user_data(user, pool).await?; debug!("User {user} data synchronized"); + continue; } } - transaction.commit().await?; - Ok(()) } diff --git a/crates/defguard_core/src/updates.rs b/crates/defguard_core/src/updates.rs index c0703a1d3d..c930c47b0e 100644 --- a/crates/defguard_core/src/updates.rs +++ b/crates/defguard_core/src/updates.rs @@ -31,6 +31,7 @@ async fn fetch_update() -> Result { let response = reqwest::Client::new() .post(UPDATES_URL) .json(&body) + .timeout(std::time::Duration::from_secs(10)) .send() .await?; Ok(response.json::().await?)