[v10.0.x] LDAP: Fix user disabling #74107
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport f900098 from #74016
Backport 9e52414 from #73834
What is this feature?
In v9.x releases, LDAP users used to be disabled on login if they had been removed from the LDAP directory tree.
But we had a bug, we'd also disable non-ldap users.
In v10.x releases, with the move to the
AuthBroker
, we changed the approach and even if it's still impossible to log in with a removed LDAP user, we do not disable the user anymore.This PR intends to restore the previous behavior in the
AuthBroker
but also fix the disabling to only target users that logged via LDAP.Additionally, for large amount of ldap users (>500 users), active sync was only retrieving a single iteration of users (max 500 users) and therefore was disabling every user that wasn't returned considering them as deleted from the LDAP directory tree.
Why do we need this feature?
[Add a description of the problem the feature is trying to solve.]
Who is this feature for?
[Add information on what kind of user the feature is for.]
Which issue(s) does this PR fix?:
Fixes #
Special notes for your reviewer:
Please check that: