diff --git a/playedu-common/src/main/java/xyz/playedu/common/bus/LDAPBus.java b/playedu-common/src/main/java/xyz/playedu/common/bus/LDAPBus.java index 45fa675..c3acb85 100644 --- a/playedu-common/src/main/java/xyz/playedu/common/bus/LDAPBus.java +++ b/playedu-common/src/main/java/xyz/playedu/common/bus/LDAPBus.java @@ -180,6 +180,9 @@ public class LDAPBus { String defaultAvatar = appConfigService.defaultAvatar(); for (LdapTransformUser ldapTransformUser : userList) { + if (ldapTransformUser.isBan()) { + continue; + } singleUserSync(ldapTransformUser, defaultAvatar); } } diff --git a/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapTransformUser.java b/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapTransformUser.java index 8e26dd4..c8d1a0e 100644 --- a/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapTransformUser.java +++ b/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapTransformUser.java @@ -32,4 +32,6 @@ public class LdapTransformUser { private String email; private String uid; + + private boolean ban; } diff --git a/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapUtil.java b/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapUtil.java index 3b602b0..947029f 100644 --- a/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapUtil.java +++ b/playedu-common/src/main/java/xyz/playedu/common/util/ldap/LdapUtil.java @@ -41,25 +41,34 @@ public class LdapUtil { "(|(objectClass=person)(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=organizationalPerson)(objectClass=user))"; private static final String[] USER_RETURN_ATTRS = - new String[]{ - // OpenLDAP 的属性 - "uid", // 用户的唯一识别符号,全局唯一,可以看做用户表的手机号,此字段可用于配合密码直接登录 - "cn", // CommonName -> 可以认作为人的名字,比如:张三。在LDAP中此字段是可以重复的,但是同一ou下不可重复 - "email", // 邮箱,同上 - "entryUUID", + new String[] { + // OpenLDAP 的属性 + "uid", // 用户的唯一识别符号,全局唯一,可以看做用户表的手机号,此字段可用于配合密码直接登录 + "cn", // CommonName -> 可以认作为人的名字,比如:张三。在LDAP中此字段是可以重复的,但是同一ou下不可重复 + "email", // 邮箱,同上 + "entryUUID", - // Window AD 域的属性 - "name", - "userPrincipalName", - "distinguishedName", - "sAMAccountName", - "displayName", - "uSNCreated", // AD域的唯一属性 + // Window AD 域的属性 + "name", + "userPrincipalName", + "distinguishedName", + "sAMAccountName", + "displayName", + "uSNCreated", // AD域的唯一属性 + "userAccountControl", - // 公用属性 - "mail", + // 公用属性 + "mail", }; - private static final String[] OU_RETURN_ATTRS = new String[]{"ou", "usncreated"}; + private static final String[] OU_RETURN_ATTRS = new String[] {"ou", "usncreated"}; + + // 514 - 禁用账户 + // 546 - 禁用账户 不需密码 + // 66050 - 禁用账户 密码未过期 + // 66080 - 禁用账户 密码未过期且不需密码 + // 66082 - 禁用账户 密码未过期且不需密码 + private static final String[] DISABLE_USER_ACCOUNT_CONTROL = + new String[] {"514", "546", "66050", "66080", "66082"}; public static LdapContext initContext(String url, String adminUser, String adminPass) throws NamingException { @@ -75,7 +84,8 @@ public class LdapUtil { } public static List users( - String url, String adminUser, String adminPass, String baseDN) throws NamingException, IOException { + String url, String adminUser, String adminPass, String baseDN) + throws NamingException, IOException { LdapContext ldapContext = initContext(url, adminUser, adminPass); int pageSize = 1000; @@ -91,21 +101,24 @@ public class LdapUtil { while (true) { try { if (cookie != null) { - ldapContext.setRequestControls(new Control[]{ - new PagedResultsControl(pageSize, cookie, false), - }); + ldapContext.setRequestControls( + new Control[] { + new PagedResultsControl(pageSize, cookie, false), + }); } else { - ldapContext.setRequestControls(new Control[]{ - new PagedResultsControl(pageSize, false) - }); + ldapContext.setRequestControls( + new Control[] {new PagedResultsControl(pageSize, false)}); } - NamingEnumeration result = ldapContext.search(baseDN, USER_OBJECT_CLASS, controls); + NamingEnumeration result = + ldapContext.search(baseDN, USER_OBJECT_CLASS, controls); while (result.hasMoreElements()) { SearchResult item = result.nextElement(); if (item != null) { LdapTransformUser ldapTransformUser = parseTransformUser(item, baseDN); - users.add(ldapTransformUser); + if (ldapTransformUser != null) { + users.add(ldapTransformUser); + } } } @@ -283,6 +296,16 @@ public class LdapUtil { LdapTransformUser ldapUser = new LdapTransformUser(); ldapUser.setDn(item.getName()); + if (attributes.get("userAccountControl") != null) { + String userAccountControl = (String) attributes.get("userAccountControl").get(); + for (String s : DISABLE_USER_ACCOUNT_CONTROL) { + if (s.equals(userAccountControl)) { + ldapUser.setBan(true); + break; + } + } + } + // name解析 String displayName = getAttribute(attributes, "displayName"); if (StringUtil.isEmpty(displayName)) { @@ -311,8 +334,8 @@ public class LdapUtil { String baseDNOuScope = baseDNOuScope(baseDN); String[] rdnList = (baseDNOuScope.isEmpty() - ? ldapUser.getDn().toLowerCase() - : ldapUser.getDn().toLowerCase() + "," + baseDNOuScope) + ? ldapUser.getDn().toLowerCase() + : ldapUser.getDn().toLowerCase() + "," + baseDNOuScope) .split(","); List ou = new ArrayList<>(); for (String s : rdnList) {