Added documentation and code to test if a account (User or Machine) has

been disabled in the AD

Author: fdurand

docs/installation/additional_integration.asciidoc

@@ -199,6 +199,44 @@ Validate with Ok and provide the account that will run this task (usually _DOMAI
 
 ==== Disabled Account
 
+===== Preventing Authentication of Disabled Accounts via LDAP Filter
+
+You can prevent disabled Active Directory accounts from authenticating through PacketFence by adding an LDAP filter that excludes accounts with the `ACCOUNTDISABLE` flag set.
+
+In Active Directory, the `userAccountControl` attribute contains bitwise flags that indicate account properties. Bit 2 (`0x2`) corresponds to `ACCOUNTDISABLE`. The following LDAP filter uses the bitwise AND matching rule (`1.2.840.113556.1.4.803`) to check whether this bit is set, and excludes those accounts from search results:
+
+----
+(!(userAccountControl:1.2.840.113556.1.4.803:=2))
+----
+
+To configure this in PacketFence:
+
+. Go to _Configuration -> Policies and Access Control -> Authentication Sources_.
+. Edit your Active Directory authentication source.
+. In the _Append search attributes LDAP filter_ field, paste the filter above.
+. Save the configuration.
+
+With this filter in place, any LDAP search performed during authentication will automatically exclude disabled accounts, preventing them from authenticating.
+
+NOTE: This is a *preventive* approach that blocks authentication at LDAP search time. It applies globally to all searches performed by this authentication source. To apply the check at the level of individual authentication rules instead, see the next section.
+
+===== Filtering Disabled Accounts in Authentication Rules
+
+You can also check the `userAccountControl` attribute directly in authentication rule conditions using the *has bit* and *not has bit* operators. These operators perform a bitwise AND check against the attribute value, which is the correct way to test individual flags in a bitmask attribute like `userAccountControl`.
+
+To create a rule that rejects disabled accounts:
+
+. Go to _Configuration -> Policies and Access Control -> Authentication Sources_.
+. Edit your Active Directory authentication source and open an authentication rule.
+. Add a condition: `userAccountControl` -> *not has bit* -> `2`.
+. Save the rule.
+
+This condition excludes accounts that have the `ACCOUNTDISABLE` bit set (bit 2), regardless of what other flags are present in `userAccountControl`.
+
+NOTE: Standard operators like _equals_ or _not equals_ perform a simple string comparison on the full `userAccountControl` value and are not suitable for bitmask attributes. Always use _has bit_ or _not has bit_ when checking individual flags.
+
+===== Unregistering Nodes When an Account is Disabled (Event-Based)
+
 Create the script `unreg_node_disabled_account.ps1` on the Windows Server with the following content:
 
 ----

html/pfappserver/root/src/globals/pfField.js

@@ -117,6 +117,8 @@ export const operatorMap = {
   ends: 'ends',
   matches_regexp: 'matches regexp',
   is_member_of: 'is member of',
+  has_bit: 'has bit',
+  not_has_bit: 'not has bit',
 }
 
 export const pfFieldTypeOperators = {
@@ -132,7 +134,9 @@ export const pfFieldTypeOperators = {
     { text: 'contains', value: operatorMap.contains },
     { text: 'ends', value: operatorMap.ends },
     { text: 'matches regexp', value: operatorMap.matches_regexp },
-    { text: 'is member of', value: operatorMap.is_member_of }
+    { text: 'is member of', value: operatorMap.is_member_of },
+    { text: 'has bit', value: operatorMap.has_bit },
+    { text: 'not has bit', value: operatorMap.not_has_bit }
   ],
   [pfFieldType.LDAPFILTER]: [
     { text: 'match filter', value: 'match filter' }

lib/pf/Authentication/Source/LDAPSource.pm

@@ -697,6 +697,10 @@ sub ldap_filter_for_conditions {
               $str = "${attribute}=${value}*";
           } elsif ($operator eq $Conditions::ENDS) {
               $str = "${attribute}=*${value}";
+          } elsif ($operator eq $Conditions::HAS_BIT) {
+              $str = "${attribute}:1.2.840.113556.1.4.803:=${value}";
+          } elsif ($operator eq $Conditions::NOT_HAS_BIT) {
+              $str = "!(${attribute}:1.2.840.113556.1.4.803:=${value})";
           }
 
           if ($str) {
@@ -801,7 +805,7 @@ sub _makefilter {
         return '(' . "$self->{'usernameattribute'}=$username" . ')';
     }
 
-    return $append_search;
+    return "(&($self->{'usernameattribute'}=$username)" . $append_search . ")";
 }
 
 sub lookupRole {

lib/pf/Authentication/constants.pm

@@ -97,6 +97,8 @@ Readonly::Scalar our $IS_NOT => 'is not';
 Readonly::Scalar our $IS_AFTER => 'is after';
 Readonly::Scalar our $IS_MEMBER => 'is member of';
 Readonly::Scalar our $MATCH_FILTER => 'match filter';
+Readonly::Scalar our $HAS_BIT => 'has bit';
+Readonly::Scalar our $NOT_HAS_BIT => 'not has bit';
 
 =item SUBSTRING, NUMBER, DATE, TIME
 
@@ -138,7 +140,7 @@ Readonly::Hash our %OPERATORS =>
    $TIME => [$IS_BEFORE, $IS_AFTER],
    $TIME_PERIOD => [$IN_TIME_PERIOD],
    $CONNECTION => [$IS, $IS_NOT],
-   $LDAP_ATTRIBUTE => [$IS, $STARTS, $EQUALS, $NOT_EQUALS, $CONTAINS, $NOT_CONTAINS, $ENDS, $MATCHES, $IS_MEMBER],
+   $LDAP_ATTRIBUTE => [$IS, $STARTS, $EQUALS, $NOT_EQUALS, $CONTAINS, $NOT_CONTAINS, $ENDS, $MATCHES, $IS_MEMBER, $HAS_BIT, $NOT_HAS_BIT],
    $LDAP_FILTER => [$MATCH_FILTER],
   );