import_ldap_group_users : fallback UPN/sam@sanef.com si mail absent, inclut comptes admin sans mail

2026-04-17 12:26:12 +00:00 · 2026-04-17 12:26:12 +00:00 · 7ec7c49c34
commit 7ec7c49c34
parent 2a4c785535
1 changed files with 26 additions and 9 deletions
--- a/tools/import_ldap_group_users.py
+++ b/tools/import_ldap_group_users.py
@ -53,26 +53,43 @@ def fetch_group_members(cfg, group_dn):
    conn = Connection(server, user=cfg["bind_dn"], password=cfg["bind_pwd"],
                      auto_bind=True)

-    # Filter LDAP : user actif, membre direct du groupe
+    # Filter LDAP : membre direct du groupe (inclut comptes admin, meme sans mail)
    search_filter = (
        f"(&(objectClass=user)(objectCategory=person)"
-        f"(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
        f"(memberOf={group_dn}))"
    )
    conn.search(cfg["base_dn"], search_filter, search_scope=SUBTREE,
                attributes=["sAMAccountName", "displayName", "mail",
-                            "distinguishedName", "userAccountControl"])
+                            "userPrincipalName", "distinguishedName",
+                            "userAccountControl"])

    members = []
    for entry in conn.entries:
-        email = str(entry.mail) if entry.mail else None
-        if not email:
+        sam = str(entry.sAMAccountName) if entry.sAMAccountName else None
+        if not sam:
+            print(f"  [SKIP] Entry sans sAMAccountName : {entry.entry_dn}")
            continue
+
+        # Priorite email : mail > userPrincipalName > fallback sam@sanef.com
+        email = None
+        if entry.mail and str(entry.mail).strip():
+            email = str(entry.mail).strip().lower()
+        elif entry.userPrincipalName and str(entry.userPrincipalName).strip():
+            email = str(entry.userPrincipalName).strip().lower()
+        else:
+            email = f"{sam.lower()}@sanef.com"
+            print(f"  [INFO] {sam} sans mail AD, fallback : {email}")
+
+        # Verifier si compte desactive (pour info seulement)
+        uac = entry.userAccountControl.value if entry.userAccountControl else 0
+        if isinstance(uac, int) and uac & 0x2:
+            print(f"  [WARN] {sam} compte AD DESACTIVE (UAC={uac}) — importe quand meme")
+
        members.append({
-            "username": str(entry.sAMAccountName).lower(),
-            "display_name": str(entry.displayName) if entry.displayName else str(entry.sAMAccountName),
-            "email": email.lower(),
-            "dn": str(entry.distinguishedName),
+            "username":     sam.lower(),
+            "display_name": str(entry.displayName) if entry.displayName else sam,
+            "email":        email,
+            "dn":           str(entry.entry_dn),
        })
    conn.unbind()
    return members