Skip to content

Add DELETE method to ensure POST request rollback #3

New issue
New issue
Open
Open
Add DELETE method to ensure POST request rollback#3
@operatr

Description

@operatr
operatr
opened on Nov 23, 2025

If setUnicodePwd or enableAccount fails after the user has already been added to LDAP (line 27), the function returns an error but leaves the partially created user in LDAP without proper cleanup. This could result in disabled/unusable user accounts accumulating in Active Directory.

Consider implementing a rollback mechanism to delete the user entry if password setting or account enabling fails, or at minimum document this behavior and its implications.

			}
			// Attempt to delete the user to rollback
			delReq := ldap.NewDelRequest(dn, nil)
			if delErr := conn.Del(delReq); delErr != nil {
				if c.logger != nil {
					c.logger.Error("rollback: failed to delete user after setUnicodePwd failure", zap.Error(delErr), zap.String("dn", dn), zap.String("username", u.Username))
				}
			}
			return err
		}
		if err := c.enableAccount(conn, dn); err != nil {
			if c.logger != nil {
				c.logger.Warn("enable account failed", zap.Error(err), zap.String("dn", dn), zap.String("username", u.Username))
			}
			// Attempt to delete the user to rollback
			delReq := ldap.NewDelRequest(dn, nil)
			if delErr := conn.Del(delReq); delErr != nil {
				if c.logger != nil {
					c.logger.Error("rollback: failed to delete user after enableAccount failure", zap.Error(delErr), zap.String("dn", dn), zap.String("username", u.Username))
				}
			}

Originally posted by @Copilot in #1 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions