LDAP auth: remove config option 'ldap_load_groups'

The same effect can be achieved using the option 'ldap_groups_attribute' alone, if it's default becomes unset instead of 'memberOf' Benefit: one config option less to deal with.
Kozea · Jan 3, 2025 · 61145fd · 61145fd
1 parent cb6a30d
commit 61145fd
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 27 deletions.
diff --git a/DOCUMENTATION.md b/DOCUMENTATION.md
@@ -932,20 +932,20 @@ The LDAP attribute whose value shall be used as the user name after successful a
 
 Default: not set, i.e. the login name given is used directly.
 
-##### ldap_load_groups
+#### ldap_groups_attribute
+
+The LDAP attribute to read the group memberships from in the authenticated user's LDAP entry.
 
-Load the ldap groups of the authenticated user. These groups can be used later on to define rights. This also gives you access to the group calendars, if they exist.
+If set, load the LDAP group memberships from the attribute given
+These memberships can be used later on to define rights.
+This also gives you access to the group calendars, if they exist.
 * The group calendar will be placed under collection_root_folder/GROUPS
 * The name of the calendar directory is the base64 encoded group name.
-* The group calendar folders will not be created automaticaly. This must be created manually. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication
-
-Default: False
-
-#### ldap_groups_attribute
+* The group calendar folders will not be created automatically. This must be done manually. [Here](https://github.com/Kozea/Radicale/wiki/LDAP-authentication) you can find a script to create group calendar folders https://github.com/Kozea/Radicale/wiki/LDAP-authentication
 
-The LDAP attribute to read the group memberships from in the user's LDAP entry if `ldap_load_groups` is True.
+Use 'memberOf' if you want to load groups on Active Directory and alikes, 'groupMembership' on Novell eDirectory, ...
 
-Default: `memberOf`
+Default: unset
 
 ##### ldap_use_ssl
 

diff --git a/config b/config
@@ -86,10 +86,7 @@
 # Path of the file containing password of the reader DN
 #ldap_secret_file = /run/secrets/ldap_password
 
-# If the ldap groups of the user need to be loaded
-#ldap_load_groups = True
-
-# the attribute to read the group memberships from in the user's LDAP entry if ldap_load_groups is True.
+# the attribute to read the group memberships from in the user's LDAP entry (default: not set)
 #ldap_groups_attribute = memberOf
 
 # The filter to find the DN of the user. This filter must contain a python-style placeholder for the login

diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py
@@ -25,7 +25,6 @@
    ldap_filter         The search filter to find the user to authenticate by the username
    ldap_user_attribute The attribute to be used as username after authentication
    ldap_groups_attribute The attribute containing group memberships in the LDAP user entry
-   ldap_load_groups    If the groups of the authenticated users need to be loaded
 Following parameters controls SSL connections:
    ldap_use_ssl   If the connection
    ldap_ssl_verify_mode The certificate verification mode. NONE, OPTIONAL, default is REQUIRED
@@ -46,8 +45,7 @@ class Auth(auth.BaseAuth):
     _ldap_filter: str
     _ldap_attributes: list[str] = []
     _ldap_user_attr: str
-    _ldap_load_groups: bool
-    _ldap_groups_attr: str = "memberOf"
+    _ldap_groups_attr: str
     _ldap_module_version: int = 3
     _ldap_use_ssl: bool = False
     _ldap_ssl_verify_mode: int = ssl.CERT_REQUIRED
@@ -68,7 +66,6 @@ def __init__(self, configuration: config.Configuration) -> None:
         self._ldap_uri = configuration.get("auth", "ldap_uri")
         self._ldap_base = configuration.get("auth", "ldap_base")
         self._ldap_reader_dn = configuration.get("auth", "ldap_reader_dn")
-        self._ldap_load_groups = configuration.get("auth", "ldap_load_groups")
         self._ldap_secret = configuration.get("auth", "ldap_secret")
         self._ldap_filter = configuration.get("auth", "ldap_filter")
         self._ldap_user_attr = configuration.get("auth", "ldap_user_attribute")
@@ -89,13 +86,15 @@ def __init__(self, configuration: config.Configuration) -> None:
         logger.info("auth.ldap_uri             : %r" % self._ldap_uri)
         logger.info("auth.ldap_base            : %r" % self._ldap_base)
         logger.info("auth.ldap_reader_dn       : %r" % self._ldap_reader_dn)
-        logger.info("auth.ldap_load_groups     : %s" % self._ldap_load_groups)
         logger.info("auth.ldap_filter          : %r" % self._ldap_filter)
         if self._ldap_user_attr:
             logger.info("auth.ldap_user_attribute  : %r" % self._ldap_user_attr)
         else:
             logger.info("auth.ldap_user_attribute  : (not provided)")
-        logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr)
+        if self._ldap_groups_attr:
+            logger.info("auth.ldap_groups_attribute: %r" % self._ldap_groups_attr)
+        else:
+            logger.info("auth.ldap_groups_attribute: (not provided)")
         if ldap_secret_file_path:
             logger.info("auth.ldap_secret_file_path: %r" % ldap_secret_file_path)
             if self._ldap_secret:
@@ -115,7 +114,7 @@ def __init__(self, configuration: config.Configuration) -> None:
             else:
                 logger.info("auth.ldap_ssl_ca_file     : (not provided)")
         """Extend attributes to to be returned in the user query"""
-        if self._ldap_load_groups:
+        if self._ldap_groups_attr:
             self._ldap_attributes.append(self._ldap_groups_attr)
         if self._ldap_user_attr:
             self._ldap_attributes.append(self._ldap_user_attr)
@@ -157,7 +156,7 @@ def _login2(self, login: str, password: str) -> str:
             conn.set_option(self.ldap.OPT_REFERRALS, 0)
             conn.simple_bind_s(user_dn, password)
             tmp: list[str] = []
-            if self._ldap_load_groups:
+            if self._ldap_groups_attr:
                 tmp = []
                 for g in user_entry[1][self._ldap_groups_attr]:
                     """Get group g's RDN's attribute value"""
@@ -227,7 +226,7 @@ def _login3(self, login: str, password: str) -> str:
                 logger.debug(f"_login3 user '{login}' cannot be found")
                 return ""
             tmp: list[str] = []
-            if self._ldap_load_groups:
+            if self._ldap_groups_attr:
                 tmp = []
                 for g in user_entry['attributes'][self._ldap_groups_attr]:
                     """Get group g's RDN's attribute value"""

diff --git a/radicale/config.py b/radicale/config.py
@@ -247,12 +247,8 @@ def json_str(value: Any) -> dict:
             "value": "",
             "help": "the attribute to be used as username after authentication",
             "type": str}),
-        ("ldap_load_groups", {
-            "value": "False",
-            "help": "load the ldap groups of the authenticated user",
-            "type": bool}),
         ("ldap_groups_attribute", {
-            "value": "memberOf",
+            "value": "",
             "help": "attribute to read the group memberships from",
             "type": str}),
         ("ldap_use_ssl", {