Skip to content

fix: gracefully handle missing ldap.group_search to prevent HTTP 500#12364

Open
andrianbalanesq wants to merge 1 commit into
inventree:masterfrom
andrianbalanesq:fix/ldap-group-search-missing-12225
Open

fix: gracefully handle missing ldap.group_search to prevent HTTP 500#12364
andrianbalanesq wants to merge 1 commit into
inventree:masterfrom
andrianbalanesq:fix/ldap-group-search-missing-12225

Conversation

@andrianbalanesq

Copy link
Copy Markdown

Summary

Fixes #12225

When LDAP authentication is enabled (ldap.enabled: true) with group permission lookup active, but ldap.group_search is not configured, the server starts normally but later crashes with TypeError: search_ext() argument 1 must be str, not None during normal API requests that require permission evaluation.

This happens because AUTH_LDAP_FIND_GROUP_PERMS was hardcoded to True, and AUTH_LDAP_GROUP_SEARCH was created as LDAPSearch(None, ...) when the setting was missing.

Changes

  • Made AUTH_LDAP_FIND_GROUP_PERMS configurable via the new ldap.find_group_perms setting (defaults to True for backward compatibility)
  • When ldap.group_search is not set (None), all group-based features are disabled gracefully with a warning message instead of crashing:
    • AUTH_LDAP_FIND_GROUP_PERMS set to False
    • AUTH_LDAP_GROUP_SEARCH set to None (instead of LDAPSearch(None, ...))
    • AUTH_LDAP_MIRROR_GROUPS set to False
    • AUTH_LDAP_REQUIRE_GROUP set to None
    • AUTH_LDAP_DENY_GROUP set to None
    • AUTH_LDAP_USER_FLAGS_BY_GROUP set to None
  • Added unit tests covering three scenarios:
    1. Missing group_search with find_group_perms=True (should disable gracefully)
    2. Configured group_search with find_group_perms=True (should stay enabled)
    3. Configured group_search with find_group_perms=False (should respect explicit disable)
  • Documented the new ldap.find_group_perms setting in the LDAP configuration docs

Checklist

  • Code follows the project style guidelines (PEP 8, double quotes)
  • Self-review completed
  • Comments added for complex logic
  • Unit tests added
  • Documentation updated

…nventree#12225)

When LDAP is enabled but ldap.group_search is not configured,
django-auth-ldap crashes at runtime with TypeError when performing
group permission lookups. This results in HTTP 500 errors during
normal API requests.

Changes:
- Make AUTH_LDAP_FIND_GROUP_PERMS configurable via ldap.find_group_perms
  setting (defaults to True for backward compatibility)
- When group_search DN is None, disable all group-based features
  (find_group_perms, mirror_groups, require_group, deny_group,
  user_flags_by_group) gracefully with a warning instead of crashing
- Set AUTH_LDAP_GROUP_SEARCH to None instead of LDAPSearch(None, ...)
- Add tests for all three scenarios: missing group_search, configured
  group_search, explicit find_group_perms=False
- Document new ldap.find_group_perms setting
@netlify

netlify Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploy Preview for inventree-web-pui-preview canceled.

Name Link
🔨 Latest commit 4354c1b
🔍 Latest deploy log https://app.netlify.com/projects/inventree-web-pui-preview/deploys/6a5435f96cb4280008fd3a4a

# If group search DN is not configured, group-based features cannot
# work. Disable them gracefully with a warning instead of letting
# django-auth-ldap crash at runtime with a TypeError (see #12225).
if group_search_dn is None:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should you also check for empty string here? e.g.

if not group_search_dn:
    ...

'AUTH_LDAP_MIRROR_GROUPS': get_boolean_setting(
'INVENTREE_LDAP_MIRROR_GROUPS', 'ldap.mirror_groups', False
),
) if group_search_dn is not None else False,

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could simplify to:

) if group_search_dn else False

@SchrodingersGat SchrodingersGat added setup Relates to the InvenTree setup / installation process documentation labels Jul 13, 2026
@SchrodingersGat

Copy link
Copy Markdown
Member

Someone with LDAP experience will need to review this

@AndrianBalanescu

Copy link
Copy Markdown

Thanks for the review! Both suggestions make sense:

  1. Empty string check — good catch. None and "" should both trigger the fallback. I'll change it to if not group_search_dn: which covers both cases cleanly.
  2. Simplifying to ) if group_search_dn else False — agreed, that's more Pythonic. Will apply in the next push.

Happy to wait for someone with LDAP experience to review the broader approach.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation setup Relates to the InvenTree setup / installation process

Projects

None yet

Development

Successfully merging this pull request may close these issues.

LDAP group search misconfiguration results in HTTP 500 during requests

4 participants