From c8149d50f964fd6a5b35ae89ca8bcaf657e39a9d Mon Sep 17 00:00:00 2001
From: Gabriel MABILLE <gamab@users.noreply.github.com>
Date: Wed, 20 Sep 2023 17:26:50 +0200
Subject: [PATCH] LDAP: FIX Enable users on successfull login  (#75073)

* LDAP: Enable users on successfull login

* Force enable ldap users on successful login

* Fix tests

* Fix tests
---
 pkg/services/authn/clients/ldap.go      | 10 +++++++++-
 pkg/services/authn/clients/ldap_test.go |  2 ++
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkg/services/authn/clients/ldap.go b/pkg/services/authn/clients/ldap.go
index 192fba3758e..2745ab64fd1 100644
--- a/pkg/services/authn/clients/ldap.go
+++ b/pkg/services/authn/clients/ldap.go
@@ -107,7 +107,7 @@ func (c *LDAP) disableUser(ctx context.Context, username string) (*authn.Identit
 }
 
 func (c *LDAP) identityFromLDAPInfo(orgID int64, info *login.ExternalUserInfo) *authn.Identity {
-	return &authn.Identity{
+	id := &authn.Identity{
 		OrgID:           orgID,
 		OrgRoles:        info.OrgRoles,
 		Login:           info.Login,
@@ -131,4 +131,12 @@ func (c *LDAP) identityFromLDAPInfo(orgID int64, info *login.ExternalUserInfo) *
 			},
 		},
 	}
+
+	// The ldap service is not aware of the internal state of the user. Fetching the user
+	// from the store to know if that user is disabled or not, is almost as costly as
+	// running an update systematically. We are setting IsDisabled to true so that the
+	// EnableDisabledUserHook force-enable that user.
+	id.IsDisabled = true
+
+	return id
 }
diff --git a/pkg/services/authn/clients/ldap_test.go b/pkg/services/authn/clients/ldap_test.go
index 2477656accc..cd45ad8987e 100644
--- a/pkg/services/authn/clients/ldap_test.go
+++ b/pkg/services/authn/clients/ldap_test.go
@@ -60,6 +60,7 @@ func TestLDAP_AuthenticateProxy(t *testing.T) {
 				AuthenticatedBy: login.LDAPAuthModule,
 				AuthID:          "123",
 				Groups:          []string{"1", "2"},
+				IsDisabled:      true, // Users are marked as disabled to force enablement on successful login
 				ClientParams: authn.ClientParams{
 					SyncUser:            true,
 					SyncTeams:           true,
@@ -129,6 +130,7 @@ func TestLDAP_AuthenticatePassword(t *testing.T) {
 				AuthenticatedBy: login.LDAPAuthModule,
 				AuthID:          "123",
 				Groups:          []string{"1", "2"},
+				IsDisabled:      true, // Users are marked as disabled to force enablement on successful login
 				ClientParams: authn.ClientParams{
 					SyncUser:            true,
 					SyncTeams:           true,