From 7ec7c49c34c8277a5d1c473da819a0c7642bada0 Mon Sep 17 00:00:00 2001
From: Admin MPCZ <admin@mpcz.fr>
Date: Fri, 17 Apr 2026 12:26:12 +0000
Subject: [PATCH] import_ldap_group_users : fallback UPN/sam@sanef.com si mail
 absent, inclut comptes admin sans mail

---
 tools/import_ldap_group_users.py | 35 ++++++++++++++++++++++++--------
 1 file changed, 26 insertions(+), 9 deletions(-)

diff --git a/tools/import_ldap_group_users.py b/tools/import_ldap_group_users.py
index 41d11df..cbed095 100644
--- a/tools/import_ldap_group_users.py
+++ b/tools/import_ldap_group_users.py
@@ -53,26 +53,43 @@ def fetch_group_members(cfg, group_dn):
     conn = Connection(server, user=cfg["bind_dn"], password=cfg["bind_pwd"],
                       auto_bind=True)
 
-    # Filter LDAP : user actif, membre direct du groupe
+    # Filter LDAP : membre direct du groupe (inclut comptes admin, meme sans mail)
     search_filter = (
         f"(&(objectClass=user)(objectCategory=person)"
-        f"(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
         f"(memberOf={group_dn}))"
     )
     conn.search(cfg["base_dn"], search_filter, search_scope=SUBTREE,
                 attributes=["sAMAccountName", "displayName", "mail",
-                            "distinguishedName", "userAccountControl"])
+                            "userPrincipalName", "distinguishedName",
+                            "userAccountControl"])
 
     members = []
     for entry in conn.entries:
-        email = str(entry.mail) if entry.mail else None
-        if not email:
+        sam = str(entry.sAMAccountName) if entry.sAMAccountName else None
+        if not sam:
+            print(f"  [SKIP] Entry sans sAMAccountName : {entry.entry_dn}")
             continue
+
+        # Priorite email : mail > userPrincipalName > fallback sam@sanef.com
+        email = None
+        if entry.mail and str(entry.mail).strip():
+            email = str(entry.mail).strip().lower()
+        elif entry.userPrincipalName and str(entry.userPrincipalName).strip():
+            email = str(entry.userPrincipalName).strip().lower()
+        else:
+            email = f"{sam.lower()}@sanef.com"
+            print(f"  [INFO] {sam} sans mail AD, fallback : {email}")
+
+        # Verifier si compte desactive (pour info seulement)
+        uac = entry.userAccountControl.value if entry.userAccountControl else 0
+        if isinstance(uac, int) and uac & 0x2:
+            print(f"  [WARN] {sam} compte AD DESACTIVE (UAC={uac}) — importe quand meme")
+
         members.append({
-            "username": str(entry.sAMAccountName).lower(),
-            "display_name": str(entry.displayName) if entry.displayName else str(entry.sAMAccountName),
-            "email": email.lower(),
-            "dn": str(entry.distinguishedName),
+            "username":     sam.lower(),
+            "display_name": str(entry.displayName) if entry.displayName else sam,
+            "email":        email,
+            "dn":           str(entry.entry_dn),
         })
     conn.unbind()
     return members