Fix minor LDAP bugs

crates/defguard_core/src/enterprise/ldap/client.rs

@@ -210,7 +210,7 @@ impl super::LDAPConnection {
         // dn: user map
         let dn_map = all_ldap_users
             .iter()
-            .map(|u| (self.config.user_dn_from_user(u), u))
+            .map(|u| (self.config.user_dn_from_user(u).to_lowercase(), u))
             .collect::<HashMap<_, _>>();
 
         for entry in membership_entries.iter_mut() {
@@ -224,7 +224,7 @@ impl super::LDAPConnection {
                     let members = members
                         .iter()
                         .filter_map(|v| {
-                            if let Some(user) = dn_map.get(v.as_str()) {
+                            if let Some(user) = dn_map.get(v.to_lowercase().as_str()) {
                                 Some(*user)
                             } else {
                                 debug!(

crates/defguard_core/src/enterprise/ldap/mod.rs

@@ -344,24 +344,31 @@ impl LDAPConnection {
         pool: &PgPool,
     ) -> Result<(), LdapError> {
         debug!("Updating users state in LDAP");
-        let transaction = pool.begin().await?;
 
         for user in users {
+            let user_sync_allowed = user.ldap_sync_allowed(pool).await?;
             let user_exists_in_ldap = self.user_exists(user).await?;
             let user_groups = user.member_of_names(pool).await?;
-            let user_sync_allowed = user.ldap_sync_allowed(pool).await?;
+            let user_in_sync_groups = self.user_in_ldap_sync_groups(user).await?;
 
             // User is disabled in Defguard
             // If they exist in LDAP, remove them
-            if !user.is_active && user_exists_in_ldap {
+            // Don't use "user_sync_allowed" here as it will never execute if the user is disabled
+            // We are interested in the user changing the state from active to disabled
+            if user_in_sync_groups && user.is_enrolled() && !user.is_active && user_exists_in_ldap {
                 debug!("User {user} is disabled in Defguard, removing from LDAP");
                 self.delete_user(user).await?;
                 continue;
             }
 
+            if !user_sync_allowed {
+                debug!("User {user} is not allowed to be synced, skipping");
+                continue;
+            }
+
             // No sync groups defined or user already belongs to them,
             // Add the user if they don't exist in LDAP already but are active in Defguard
-            if user_sync_allowed && !user_exists_in_ldap {
+            if !user_exists_in_ldap {
                 debug!("User {user} is not in LDAP, adding to LDAP");
                 self.add_user(user, None, pool).await?;
                 for group in user_groups {
@@ -372,17 +379,16 @@ impl LDAPConnection {
 
             // We may bring user into the synchronization scope, sync his data (email, groups, etc.) based on
             // the authority
-            if user_sync_allowed && user_exists_in_ldap {
+            if user_exists_in_ldap {
                 debug!(
                     "User {user} is in LDAP and is allowed to be synced, synchronizing his data"
                 );
                 self.sync_user_data(user, pool).await?;
                 debug!("User {user} data synchronized");
+                continue;
             }
         }
 
-        transaction.commit().await?;
-
         Ok(())
     }
 

crates/defguard_core/src/updates.rs

@@ -31,6 +31,7 @@ async fn fetch_update() -> Result<Update, anyhow::Error> {
     let response = reqwest::Client::new()
         .post(UPDATES_URL)
         .json(&body)
+        .timeout(std::time::Duration::from_secs(10))
         .send()
         .await?;
     Ok(response.json::<Update>().await?)