diff --git a/zproject/backends.py b/zproject/backends.py index ec410d41b7..57e200cd21 100644 --- a/zproject/backends.py +++ b/zproject/backends.py @@ -824,7 +824,11 @@ def sync_user_from_ldap(user_profile: UserProfile, logger: logging.Logger) -> bo try: ldap_username = backend.django_to_ldap_username(user_profile.delivery_email) except ZulipLDAPExceptionNoMatchingLDAPUser: - if settings.LDAP_DEACTIVATE_NON_MATCHING_USERS: + if ( + settings.ONLY_LDAP + if settings.LDAP_DEACTIVATE_NON_MATCHING_USERS is None + else settings.LDAP_DEACTIVATE_NON_MATCHING_USERS + ): do_deactivate_user(user_profile) logger.info("Deactivated non-matching user: %s", user_profile.delivery_email) return True diff --git a/zproject/default_settings.py b/zproject/default_settings.py index 5fffcf28cb..84285801a9 100644 --- a/zproject/default_settings.py +++ b/zproject/default_settings.py @@ -411,3 +411,6 @@ IS_DEV_DROPLET = False # Used by puppet/zulip_ops/files/cron.d/check_send_receive_time. NAGIOS_BOT_HOST = EXTERNAL_HOST + +# Automatically deactivate users not found by the AUTH_LDAP_USER_SEARCH query. +LDAP_DEACTIVATE_NON_MATCHING_USERS: Optional[bool] = None diff --git a/zproject/settings.py b/zproject/settings.py index b6ffb3b223..80dd9776cf 100644 --- a/zproject/settings.py +++ b/zproject/settings.py @@ -935,10 +935,10 @@ POLL_TIMEOUT = 90 * 1000 USING_APACHE_SSO = ('zproject.backends.ZulipRemoteUserBackend' in AUTHENTICATION_BACKENDS) -if 'LDAP_DEACTIVATE_NON_MATCHING_USERS' not in vars(): - LDAP_DEACTIVATE_NON_MATCHING_USERS = ( - len(AUTHENTICATION_BACKENDS) == 1 and (AUTHENTICATION_BACKENDS[0] == - "zproject.backends.ZulipLDAPAuthBackend")) +ONLY_LDAP = False +if len(AUTHENTICATION_BACKENDS) == 1 and (AUTHENTICATION_BACKENDS[0] == + "zproject.backends.ZulipLDAPAuthBackend"): + ONLY_LDAP = True if len(AUTHENTICATION_BACKENDS) == 1 and (AUTHENTICATION_BACKENDS[0] == "zproject.backends.ZulipRemoteUserBackend"):