#341 do not add securityPrincipal for existing accounts

LDAPAccountManager · Jun 21, 2024 · 55f4e7b · 55f4e7b
1 parent 369ebab
commit 55f4e7b
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/lam/HISTORY b/lam/HISTORY
@@ -12,6 +12,7 @@ June 2024 8.8
  - Fixed bugs:
   -> Custom Fields: LDAP search select list - wrong value for empty option (334)
   -> Windows user: "Password does not expire" option sent even when not modified (340)
+  -> Windows user: Do not add securityPrincipal object class for existing accounts (341)
 
 
 16.03.2024 8.7

diff --git a/lam/lib/modules/windowsUser.inc b/lam/lib/modules/windowsUser.inc
@@ -1280,6 +1280,13 @@ class windowsUser extends baseModule implements passwordService, AccountStatusPr
 	 * <br>"info" are values with informational value (e.g. to be used later by pre/postModify actions)
 	 */
 	public function save_attributes() {
+		// do not add securityPrincipal on existing accounts if it was not set before
+		if (!$this->getAccountContainer()->isNewAccount
+			&& in_array_ignore_case('user', $this->orig['objectClass'])
+			&& !in_array('securityPrincipal', $this->orig['objectClass'])
+			&& in_array('securityPrincipal', $this->attributes['objectClass'])) {
+			$this->attributes['objectClass'] = array_delete(['securityPrincipal'], $this->attributes['objectClass']);
+		}
 		$return = parent::save_attributes();
 		// add information about clear text password and password status change
 		$return[$this->getAccountContainer()->dn_orig]['info']['userPasswordClearText'][0] = $this->clearTextPassword;