Always expand groups from LDAP

[anonymous]

I tested 2.1.0-SNAPSHOT of DirectoryAuthPlugin. Plugin always expand groups from LDAP even if in trac.ini

[account-manager]
group_expand = 0

[bebbo]

In 16081:

refs #12994

• group_expand is now applied if group users are looked up. group_expand == 1: follow resolve also group members, group_expand == 0: only list direct group users.

[mazzibig@…]

Replying to bebbo:

In 16081:

refs #12994

• group_expand is now applied if group users are looked up. group_expand == 1: follow resolve also group members, group_expand == 0: only list direct group users.

I test this changes, but get_permission_groups calls self._expand_user_groups and do LDAP group search if group_expand = 0

[bebbo]

So your expectation if 'group_expand == 1' is, that no ldap groups are returned at all.

[anonymous]

Replying to bebbo:

So your expectation if 'group_expand == 1' is, that no ldap groups are returned at all.

if 'group_expand == 0'

Something like this in def _expand_user_groups(self, user, use_cache=1)

            if not self.group_expand:
              self.log.debug('group_expand set %s. Do not extend LDAP groups' % self.group_expand)
              return []

[bebbo]

In 16082:

refs #12994

• if group_expand == 0: no LDAP groups are returned.

[mazzibig@…]

Tested. All fine.

[bebbo]

In 16083:

refs #12994

• if group_expand == 0: if group_validusers is configured, login will still work, but that group is not shown under Admin permissions. To disable: do not configure group_validusers.

[mazzibig@…]

WISH

if group_expand = 0 and group_validusers is not configured all users from dir_basedn shown in AdminPanel Users.

May be only Trac users with LDAP data (mail, displayname) must be showing?

[bebbo]

There is distinct code from the primary author of this plugin, which explicitly defines the behaviour to return all LDAP users.

You may consider creating a new ticket for an additional option to support a different behaviour.