Summary
Since upgrading to 5.1.0, a specific user is incorrectly deactivated on every LDAP sync.
Steps to reproduce
Server 5.1.0, E10. Configure AD sync (with the suggested filter to exclude disabled accounts). Sync with AD. Other required conditions unknown
Expected behavior
If the user is not disabled in AD, they should not be deactivated in mattermost
Observed behavior
User is deactivated on every AD sync. Logs show:
2018-08-07T17:29:23.027+1000 info ldap/ldap_sync_job.go:225 Mattermost user was deactivated by LDAP server {"workername": "EnterpriseLdapSync", "user_id": "9xuurhe6xb839fyr4ibemhojqo",
They are then re-activated at later random times not aligned with AD sync (perhaps when they attempt to log in?):
2018-08-07T20:31:14.984+1000 info ldap/ldap.go:234 Mattermost user was updated by AD/LDAP server. {"user_id": "9xuurhe6xb839fyr4ibemhojqo",
This cycle keeps repeating.
An observation I suspect is relevant: with debug logs enabled, I saw (anonymised(:
2018-08-07T21:54:14.272+1000 debug ldap/ldap_sync_job.go:125 Ldap sync foreign user {"workername": "EnterpriseLdapSync", "ldap_user": {"id":"","delete_at":0,"username":"auser","auth_data":"Auser","auth_service":"ldap","email":"a.user@some.where","email_verified":true,"nickname":"","first_name":"A","last_name":"User","position":"","roles":"","locale":"","timezone":null}}
I note that the auth_data value has a capital initial letter. This is not true for any other user. The AuthData column in the mattermost DB has no initial capital, so they may not match up. Mattermost is configured to use sAMAccountName for the username, login name, and id fields.