tests: Add test for nocoverage userAccountControl case in ldap auth.

This logic has been #nocoverage since its implementation, but since this
is an authentication codepath, it seems important for it to have a test.

zerver/tests/test_auth_backends.py

@@ -6424,6 +6424,26 @@ class TestLDAP(ZulipLDAPTestCase):
             )
             self.assertIs(user_profile, None)
 
+    @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",))
+    def test_login_failure_user_account_control(self) -> None:
+        self.change_ldap_user_attr("hamlet", "userAccountControl", "2")
+
+        with self.settings(
+            LDAP_APPEND_DOMAIN="zulip.com",
+            AUTH_LDAP_USER_ATTR_MAP={"userAccountControl": "userAccountControl"},
+        ), self.assertLogs("django_auth_ldap", "DEBUG") as debug_log:
+            user_profile = self.backend.authenticate(
+                request=mock.MagicMock(),
+                username=self.example_email("hamlet"),
+                password=self.ldap_password("hamlet"),
+                realm=get_realm("zulip"),
+            )
+            self.assertIs(user_profile, None)
+            self.assertIn(
+                "DEBUG:django_auth_ldap:Authentication failed for hamlet: User has been deactivated",
+                debug_log.output,
+            )
+
     @override_settings(AUTHENTICATION_BACKENDS=("zproject.backends.ZulipLDAPAuthBackend",))
     @override_settings(
         AUTH_LDAP_USER_ATTR_MAP={

zproject/backends.py

@@ -1058,7 +1058,7 @@ class ZulipLDAPAuthBackend(ZulipLDAPAuthBackendBase):
         if self.is_account_realm_access_forbidden(ldap_user, self._realm):
             raise ZulipLDAPError("User not allowed to access realm")
 
-        if ldap_should_sync_active_status():  # nocoverage
+        if ldap_should_sync_active_status():
             ldap_disabled = self.is_user_disabled_in_ldap(ldap_user)
             if ldap_disabled:
                 # Treat disabled users as deactivated in Zulip.