From 717e520556304aee7a36d928c8c85d6d41e8585e Mon Sep 17 00:00:00 2001
From: kuaifan <aipaw@live.cn>
Date: Fri, 17 Apr 2026 02:05:14 +0000
Subject: [PATCH] =?UTF-8?q?fix(ldap):=20=E4=BF=AE=E5=A4=8D=20AD=20?=
 =?UTF-8?q?=E7=8E=AF=E5=A2=83=E4=B8=8B=E7=94=A8=E6=88=B7=E6=90=9C=E7=B4=A2?=
 =?UTF-8?q?=E5=A4=B1=E8=B4=A5=E5=92=8C=E5=AF=86=E7=A0=81=E7=AD=96=E7=95=A5?=
 =?UTF-8?q?=E5=86=B2=E7=AA=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- objectClasses 移除 inetOrgPerson 和 organizationalPerson，仅保留 person + top
  AD 用户的 objectClass 是 user 而非 inetOrgPerson，导致 LdapRecord 搜索过滤不到用户
- LDAP 用户首次创建本地账号时使用随机密码，避免 LDAP 密码不满足本地密码策略

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 app/Ldap/LdapUser.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/Ldap/LdapUser.php b/app/Ldap/LdapUser.php
index 95afeae5c..4114192a8 100644
--- a/app/Ldap/LdapUser.php
+++ b/app/Ldap/LdapUser.php
@@ -19,8 +19,6 @@ class LdapUser extends Model
      * @var array
      */
     public static $objectClasses = [
-        'inetOrgPerson',
-        'organizationalPerson',
         'person',
         'top',
     ];
@@ -208,7 +206,9 @@ class LdapUser extends Model
             }
             $user = User::whereEmail($email)->first();
             if (empty($user)) {
-                $user = User::reg($email, $password);
+                // LDAP 用户通过 LDAP 认证，本地密码用随机值以满足密码策略
+                $localPassword = Base::generatePassword(16) . 'Aa1!';
+                $user = User::reg($email, $localPassword);
             } elseif (!$user->isLdap()) {
                 info("[LDAP] merged with existing local account: userid={$user->userid}, email={$email}");
             }