From 55f4e7b1af9fa9f65917cd2257176232810091eb Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Fri, 21 Jun 2024 20:10:59 +0200
Subject: [PATCH] #341 do not add securityPrincipal for existing accounts

---
 lam/HISTORY                     | 1 +
 lam/lib/modules/windowsUser.inc | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/lam/HISTORY b/lam/HISTORY
index cf170e760..b7bbf5cd1 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -12,6 +12,7 @@ June 2024 8.8
  - Fixed bugs:
   -> Custom Fields: LDAP search select list - wrong value for empty option (334)
   -> Windows user: "Password does not expire" option sent even when not modified (340)
+  -> Windows user: Do not add securityPrincipal object class for existing accounts (341)
 
 
 16.03.2024 8.7
diff --git a/lam/lib/modules/windowsUser.inc b/lam/lib/modules/windowsUser.inc
index f87e93ade..c5012d3c7 100644
--- a/lam/lib/modules/windowsUser.inc
+++ b/lam/lib/modules/windowsUser.inc
@@ -1280,6 +1280,13 @@ class windowsUser extends baseModule implements passwordService, AccountStatusPr
 	 * <br>"info" are values with informational value (e.g. to be used later by pre/postModify actions)
 	 */
 	public function save_attributes() {
+		// do not add securityPrincipal on existing accounts if it was not set before
+		if (!$this->getAccountContainer()->isNewAccount
+			&& in_array_ignore_case('user', $this->orig['objectClass'])
+			&& !in_array('securityPrincipal', $this->orig['objectClass'])
+			&& in_array('securityPrincipal', $this->attributes['objectClass'])) {
+			$this->attributes['objectClass'] = array_delete(['securityPrincipal'], $this->attributes['objectClass']);
+		}
 		$return = parent::save_attributes();
 		// add information about clear text password and password status change
 		$return[$this->getAccountContainer()->dn_orig]['info']['userPasswordClearText'][0] = $this->clearTextPassword;