From 832126c6fe59236c3803ddb78b247e6c9acbf6f4 Mon Sep 17 00:00:00 2001
From: "gcp-cherry-pick-bot[bot]"
 <98988430+gcp-cherry-pick-bot[bot]@users.noreply.github.com>
Date: Fri, 27 Sep 2024 13:58:06 +0200
Subject: [PATCH] sources/ldap: fix ms_ad userAccountControl not checking for
 lockout (cherry-pick #11532) (#11534)

sources/ldap: fix ms_ad userAccountControl not checking for lockout (#11532)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens L. <jens@goauthentik.io>
---
 authentik/sources/ldap/sync/vendor/ms_ad.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/authentik/sources/ldap/sync/vendor/ms_ad.py b/authentik/sources/ldap/sync/vendor/ms_ad.py
index e8fdf831c8..fd02308973 100644
--- a/authentik/sources/ldap/sync/vendor/ms_ad.py
+++ b/authentik/sources/ldap/sync/vendor/ms_ad.py
@@ -78,7 +78,9 @@ class MicrosoftActiveDirectory(BaseLDAPSynchronizer):
         #   /useraccountcontrol-manipulate-account-properties
         uac_bit = attributes.get("userAccountControl", 512)
         uac = UserAccountControl(uac_bit)
-        is_active = UserAccountControl.ACCOUNTDISABLE not in uac
+        is_active = (
+            UserAccountControl.ACCOUNTDISABLE not in uac and UserAccountControl.LOCKOUT not in uac
+        )
         if is_active != user.is_active:
             user.is_active = is_active
             user.save()