[NEW] Setting to determine if the LDAP user active state should be synced (#17645)

ee/app/ldap-enterprise/server/hooks/beforeSearchAll.js

-import { callbacks } from '../../../../../app/callbacks';
-
-callbacks.add('ldap.beforeSearchAll', (searchParams) => {
+export const beforeSearchAll = (searchParams) => {
 	const { options } = searchParams;
 
 	if (!Array.isArray(options.attributes)) {
@@ -10,4 +8,4 @@ callbacks.add('ldap.beforeSearchAll', (searchParams) => {
 	options.attributes.push('pwdAccountLockedTime');
 
 	return searchParams;
-}, callbacks.priority.MEDIUM, 'ldap-return-attribute-AccountLockedTime');
+};

ee/app/ldap-enterprise/server/hooks/syncExistentUser.js

-import { callbacks } from '../../../../../app/callbacks';
 import { logger } from '../../../../../app/ldap/server/sync';
 import { setUserActiveStatus } from '../../../../../app/lib/server/functions/setUserActiveStatus';
+import { settings } from '../../../../../app/settings';
 
-callbacks.add('ldap.afterSyncExistentUser', ({ ldapUser, user }) => {
+export const syncExistentUser = ({ ldapUser, user }) => {
 	const activate = !!ldapUser && !ldapUser.pwdAccountLockedTime;
 
-	if (activate !== user.active) {
-		setUserActiveStatus(user._id, activate);
-		logger.info(`${ activate ? 'Activating' : 'Deactivating' } user ${ user.name } (${ user._id })`);
+	if (activate === user.active) {
+		return;
 	}
-}, callbacks.priority.MEDIUM, 'ldap-disable-enable-users');
+
+	const syncUserState = settings.get('LDAP_Sync_User_Active_State');
+	if (syncUserState === 'none' || (syncUserState === 'disable' && activate)) {
+		return;
+	}
+
+	setUserActiveStatus(user._id, activate);
+	logger.info(`${ activate ? 'Activating' : 'Deactivating' } user ${ user.name } (${ user._id })`);
+};

ee/app/ldap-enterprise/server/index.js

 import { Meteor } from 'meteor/meteor';
 
-import './hooks/syncExistentUser';
-import './hooks/beforeSearchAll';
 
+import { syncExistentUser } from './hooks/syncExistentUser';
+import { beforeSearchAll } from './hooks/beforeSearchAll';
 import { callbacks } from '../../../../app/callbacks/server';
 import { settings } from '../../../../app/settings';
 import { onLicense } from '../../license/server';
@@ -17,6 +17,8 @@ onLicense('ldap-enterprise', () => {
 		validateLDAPRolesMappingChanges();
 
 		let LDAP_Enable_LDAP_Roles_To_RC_Roles;
+		let LDAP_Sync_User_Active_State;
+
 		settings.get('LDAP_Enable_LDAP_Roles_To_RC_Roles', (key, value) => {
 			if (LDAP_Enable_LDAP_Roles_To_RC_Roles === value) {
 				return;
@@ -29,5 +31,23 @@ onLicense('ldap-enterprise', () => {
 
 			callbacks.add('afterLDAPLogin', onLdapLogin, callbacks.priority.MEDIUM, 'checkRoleMapping');
 		});
+
+		settings.get('LDAP_Sync_User_Active_State', (key, value) => {
+			if (LDAP_Sync_User_Active_State === value) {
+				return;
+			}
+
+			if (value === 'none') {
+				// If it changed to 'none', disable
+				callbacks.remove('ldap.afterSyncExistentUser', 'ldap-sync-user-active-state');
+			} else if (LDAP_Sync_User_Active_State === 'none' || !LDAP_Sync_User_Active_State) {
+				// If it changed from 'none' to something else, enable
+				callbacks.add('ldap.afterSyncExistentUser', syncExistentUser, callbacks.priority.MEDIUM, 'ldap-sync-user-active-state');
+			}
+
+			LDAP_Sync_User_Active_State = value;
+		});
+
+		callbacks.add('ldap.beforeSearchAll', beforeSearchAll, callbacks.priority.MEDIUM, 'ldap-return-attribute-AccountLockedTime');
 	});
 });

ee/app/ldap-enterprise/server/settings.js

@@ -26,5 +26,18 @@ export const createSettings = () => {
 				enableQuery: { _id: 'LDAP_Enable_LDAP_Roles_To_RC_Roles', value: true },
 			});
 		});
+
+		this.section('LDAP_Advanced_Sync', function() {
+			this.add('LDAP_Sync_User_Active_State', 'disable', {
+				type: 'select',
+				values: [
+					{ key: 'none', i18nLabel: 'LDAP_Sync_User_Active_State_Nothing' },
+					{ key: 'disable', i18nLabel: 'LDAP_Sync_User_Active_State_Disable' },
+					{ key: 'both', i18nLabel: 'LDAP_Sync_User_Active_State_Both' },
+				],
+				i18nDescription: 'LDAP_Sync_User_Active_State_Description',
+				enableQuery: { _id: 'LDAP_Enable', value: true },
+			});
+		});
 	});
 };

ee/i18n/en.i18n.json

@@ -23,6 +23,7 @@
   "Failed_to_add_monitor": "Failed to add monitor",
   "Invalid Canned Response": "Invalid Canned Response",
   "Invalid_Department": "Invalid Department",
+  "LDAP_Advanced_Sync": "Advanced Sync",
   "LDAP_Default_Role_To_User": "Default role to user",
   "LDAP_Default_Role_To_User_Description": "The default RC role to be applied to user if the user has some LDAP role that is not mapped.",
   "LDAP_Enable_LDAP_Roles_To_RC_Roles": "Enable role mapping from LDAP to Rocket.Chat",
@@ -30,6 +31,11 @@
   "LDAP_Query_To_Get_User_Groups_Description": "LDAP query to get the LDAP groups that the user is part of.",
   "LDAP_Roles_To_Rocket_Chat_Roles": "Role mapping from LDAP to Rocket.Chat.",
   "LDAP_Roles_To_Rocket_Chat_Roles_Description": "Role mapping in object format where the object key must be the LDAP role and the object value must be an array of RC roles. Example: { 'ldapRole': ['rcRole', 'anotherRCRole'] }",
+  "LDAP_Sync_User_Active_State": "Sync User Active State",
+  "LDAP_Sync_User_Active_State_Description": "Determine if users should be enabled or disabled on Rocket.Chat based on the LDAP status. The 'pwdAccountLockedTime' attribute will be used to determine if the user is disabled.",
+  "LDAP_Sync_User_Active_State_Nothing": "Do Nothing",
+  "LDAP_Sync_User_Active_State_Disable": "Disable Users",
+  "LDAP_Sync_User_Active_State_Both": "Enable and Disable Users",
   "LDAP_Validate_Roles_For_Each_Login": "Validate mapping for each login",
   "LDAP_Validate_Roles_For_Each_Login_Description": "If the validation should occurs for each login (Be careful with this setting because it will overwrite the user roles in each login, otherwise this will be validated only at the moment of user creation).",
   "List_of_departments_for_forward": "List of departments allowed for forwarding (Optional)",