User not deleted in LDAP

Question

User not deleted in LDAP

northboys opened this issue 2 years ago · 6 comments

Describe the bug
I tried to delete user in Azure AD but didn't delete in LDAP.

Container configuration

    environment:
      NODE_ENV: "production"
      LDAP_DOMAIN: "example.com"
      LDAP_BASEDN: "dc=example,dc=com"
      LDAP_BINDUSER: "test|test123"
      LDAP_PORT: "13389"
      LDAP_DEBUG: "true"
      LDAP_ALLOWCACHEDLOGINONFAILURE: "true"
      LDAP_SAMBANTPWD_MAXCACHETIME: "-1"
      AZURE_APP_ID: "xxxxxxxxxx"
      AZURE_TENANTID: "xxxxxxxxxx"
      AZURE_APP_SECRET: "xxxxxxxxxx"
      LDAP_SYNC_TIME: "15"
      DSM7: "false"
      GRAPH_FILTER_USERS: "userType eq 'Member'"
      GRAPH_FILTER_GROUPS: ""

Answer 1 · 2022-09-10T06:53:34.000Z

You are right, the deleted users are currently not deleted in the wrapper. Deleting them in the wrapper could cause some problems:

Files and folders lose the deleted user as owner/creator.
If the user home directory was created by the NAS, it will not be deleted as well.
Permissions on the NAS are still attached to a UserId that is no longer anywhere.
probably a few more little things

But I think the same problems should occur with a NAS connected to any other LDAP server.
So, I'll add the deletion of deleted users in one of the next versions :)

If someone really wants to keep a user for history reasons, he can just deactivate it in AzureAD and remove all licences - that way a login won't work anymore... I should also document this somewhere.

Answer 2 · 2022-09-12T06:02:39.000Z

Very interesting, can't wait for the next version 😁

Answer 3 · 2022-09-15T16:26:21.000Z

Files and folders lose the deleted user as owner/creator.

I think it happens also if the userPrincipalName is changed because the homeDirectory will be changed by the program, right ?

Answer 4 · 2022-09-15T17:42:42.000Z

Files and folders lose the deleted user as owner/creator.

I think it happens also if the userPrincipalName is changed because the homeDirectory will be changed by the program, right ?

It depends. The permissions on Linux-based systems depend on the uidNumber anyway. The uidNumber is not changed by the renaming, so the files/folders keep their owner/creator. Some servers are also able to move/rename the home directories in this way. Mostly, however, the system administrator has to rename the home dirs manually.

Answer 5 · 2022-09-18T13:31:06.000Z

@northboys a first attempt is available in the docker dev tag. There is a delay in the deletion, so you may need to set LDAP_DAYSTOKEEPDELETEDUSERS if you would like to test it without delay :)

Answer 6 · 2022-09-25T17:37:07.000Z

The changes are now also available in the latest version.