Check LDAP user status on sign-in with other authentication methods
Summary
If LDAP is used as the authentication method, an ldap_blocked
user will be unblocked on sign-in if the user is valid in LDAP. However, when a non-LDAP authentication method is configured alongside LDAP (such as Azure AD) and the user becomes ldap_blocked
we do not recheck the LDAP user status on sign-in.
Scenario
User becomes ldap_blocked
by either LdapSyncWorker
(once daily) or the default 1-hour sync_time
. This can happen either due to transient communication issues with LDAP, or maybe the user actually was disabled/removed from LDAP for a period of time.
When signing in via another method, if the user is ldap_blocked
we should proactively check with LDAP to see if the user is now active. If yes, unblock the user and allow sign-in.
Problem This Solves
In this issue, if the LDAP server is flaky or cannot be reached, users are immediately blocked, even when another authentication method is configured and status is maintained there.
This was causing users to be unable to login, and a manual sync initiated by the customer had to take place in order to reset the users back to "active".