Skip to content

LDAP Sync: Show AD disabled/expired account indicators in Users list #5003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
guerricv wants to merge 4 commits into
base: master
Choose a base branch
from
Open

LDAP Sync: Show AD disabled/expired account indicators in Users list #5003

guerricv wants to merge 4 commits into from

Conversation

@guerricv
Copy link
Contributor

@guerricv guerricv commented Dec 22, 2025
edited
Loading

Summary

This pull request enhances the Users > LDAP Synchronization view by adding a clear visual indicator when an LDAP/Active Directory account is disabled and/or expired. The goal is to improve administrator visibility during onboarding and synchronization without changing existing behavior.

Motivation

  • Admins currently cannot quickly tell whether an LDAP/AD account is usable at a glance.
  • In AD, users can appear in LDAP results even if their account is disabled or expired.
  • Providing an indicator helps prevent confusion and reduces support requests during configuration/synchronization.

What’s included

Backend (LDAP query / response)

  • The LDAP query now requests additional AD attributes (when available):
    • userAccountControl (to detect disabled accounts)
    • accountExpires / accountexpires (to detect expired accounts)
    • Fallback support for shadowExpire (non-AD directories that expose expiration via shadow attributes)
  • Each returned LDAP entry includes three new fields:
    • ldapAccountDisabled (0/1/null)
    • ldapAccountExpired (0/1/null)
    • ldapAccountExpiresAt (Unix timestamp or null, used for UI tooltip)
  • Logic details:
    • Disabled is computed from userAccountControl using bit 0x2 (UF_ACCOUNTDISABLE).
    • Expired is computed from accountExpires (Windows FILETIME), with proper handling of “never expires” values (e.g. 0, max-int).
    • If the directory does not expose these attributes, values remain null (no indicator shown).

Frontend (Users > LDAP Synchronization)

  • The “info” column now displays up to three icons on a single line:
    • Existing info icon
    • New icon for AD account disabled
    • New icon for AD account expired (with optional date tooltip when ldapAccountExpiresAt is available)
  • UI alignment fix: the “info” column uses nowrap and a minimal width so icons do not wrap to the next line.

Internationalization

Two new language keys are added:

  • ldap_account_disabled = “AD account disabled”
  • ldap_account_expired = “AD account expired”

How to test

  1. Go to Users > LDAP Synchronization.
  2. Click Refresh to reload the LDAP list.
  3. Verify that:
    • A disabled AD account shows the “disabled” icon.
    • An expired AD account shows the “expired” icon (tooltip may include the expiration date).
    • Icons remain on one line and are properly aligned in the info column.

Backward compatibility / Risk

  • No change to synchronization workflow or permissions.
  • If AD attributes are unavailable (permissions, non-AD LDAP, etc.), indicators remain hidden (null values).
  • Only additional LDAP attributes are requested; existing filters and results remain unchanged.

Screenshots

image image image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@guerricv