v1.1.0 - Fix DN comparison: look up assigned user DN in AD, compare DN-to-DN

2026-04-27 10:41:25 +10:00
parent fedba71fb0
commit 9ae1ffdc5b
1 changed files with 65 additions and 28 deletions
@@ -69,35 +69,59 @@ namespace Disco.Plugins.ADCompare.Features
                result.FoundInAD = true;
                result.ADAccountDisabled = adAccount.IsDisabled;

+                // Get the managedBy DN from the computer object
                var managedByDN = adAccount.GetPropertyValue<string>("managedBy");
                result.ADManagedByDN = managedByDN;
                result.HasManagedBy = !string.IsNullOrEmpty(managedByDN);

+                // Extract display name from the CN portion of the DN for display
                if (result.HasManagedBy)
+                {
+                    result.ADManagedByDisplayName = ExtractCNFromDN(managedByDN);
+                }
+
+                // To compare correctly, look up the Disco assigned user in AD
+                // and compare their DN against the managedBy DN
+                string assignedUserDN = null;
+                if (result.HasAssignment)
                {
                    try
                    {
-                        var managedByUser = ActiveDirectory.RetrieveADUserAccount(managedByDN);
-                        if (managedByUser != null)
+                        var assignedUserAD = ActiveDirectory.RetrieveADUserAccount(device.AssignedUserId);
+                        if (assignedUserAD != null)
                        {
-                            result.ADManagedByUserId = managedByUser.Id;
-                            result.ADManagedByDisplayName = managedByUser.DisplayName;
-                        }
-                        else
-                        {
-                            result.ADManagedByUserId = managedByDN;
+                            assignedUserDN = assignedUserAD.DistinguishedName;
+                            result.ADManagedByUserId = device.AssignedUserId; // For display
                        }
                    }
                    catch
                    {
-                        result.ADManagedByUserId = managedByDN;
+                        // Can't look up assigned user in AD
                    }
                }

-                result.IsMatch = DetermineMatch(result);
+                // Now compare: both have values -> compare DNs
+                if (!result.HasAssignment && !result.HasManagedBy)
+                {
+                    result.IsMatch = true;
+                }
+                else if (result.HasAssignment && result.HasManagedBy && assignedUserDN != null)
+                {
+                    // Compare DN-to-DN (case insensitive)
+                    result.IsMatch = string.Equals(assignedUserDN, managedByDN, StringComparison.OrdinalIgnoreCase);
+                    if (result.IsMatch)
+                    {
+                        result.ADManagedByUserId = device.AssignedUserId;
+                    }
+                }
+                else
+                {
+                    result.IsMatch = false;
+                }
+
                if (!result.IsMatch)
                {
-                    result.MismatchReason = DetermineMismatchReason(result);
+                    result.MismatchReason = DetermineMismatchReason(result, assignedUserDN);
                }
            }
            catch (Exception ex)
@@ -109,21 +133,7 @@ namespace Disco.Plugins.ADCompare.Features
            return result;
        }

-        private bool DetermineMatch(DeviceComparisonResult result)
-        {
-            if (!result.HasAssignment && !result.HasManagedBy)
-                return true;
-
-            if (result.HasAssignment != result.HasManagedBy)
-                return false;
-
-            return string.Equals(
-                result.DiscoAssignedUserId,
-                result.ADManagedByUserId,
-                StringComparison.OrdinalIgnoreCase);
-        }
-
-        private string DetermineMismatchReason(DeviceComparisonResult result)
+        private string DetermineMismatchReason(DeviceComparisonResult result, string assignedUserDN)
        {
            if (!result.FoundInAD)
                return "Computer not found in AD";
@@ -132,12 +142,39 @@ namespace Disco.Plugins.ADCompare.Features
                return "Assigned in Disco but AD managedBy is empty";

            if (!result.HasAssignment && result.HasManagedBy)
-                return "Not assigned in Disco but AD managedBy is set";
+                return string.Format("Not assigned in Disco but AD managedBy is set to {0}", 
+                    ExtractCNFromDN(result.ADManagedByDN));

            if (result.HasAssignment && result.HasManagedBy)
-                return string.Format("Different users: Disco={0}, AD managedBy={1}", result.DiscoAssignedUserId, result.ADManagedByUserId);
+            {
+                var managedByName = ExtractCNFromDN(result.ADManagedByDN);
+                return string.Format("Different users: Disco={0} ({1}), AD managedBy={2}", 
+                    result.DiscoAssignedUserId, 
+                    result.DiscoAssignedUserDisplayName ?? "?",
+                    managedByName);
+            }

            return "Unknown mismatch";
        }
+
+        /// <summary>
+        /// Extract the CN value from a Distinguished Name.
+        /// e.g. "CN=Sue Lesnjak,OU=Teachers,..." -> "Sue Lesnjak"
+        /// </summary>
+        private string ExtractCNFromDN(string dn)
+        {
+            if (string.IsNullOrEmpty(dn))
+                return null;
+
+            if (dn.StartsWith("CN=", StringComparison.OrdinalIgnoreCase))
+            {
+                var commaIndex = dn.IndexOf(',');
+                if (commaIndex > 3)
+                    return dn.Substring(3, commaIndex - 3);
+                return dn.Substring(3);
+            }
+
+            return dn;
+        }
    }
 }