settings: Move LDAP_DEACTIVATE_NON_MATCHING_USERS default to default_settings.

Tweaked by tabbott to fix an incorrect translation to ONLY_SSO.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

zproject/backends.py

@@ -824,7 +824,11 @@ def sync_user_from_ldap(user_profile: UserProfile, logger: logging.Logger) -> bo
     try:
         ldap_username = backend.django_to_ldap_username(user_profile.delivery_email)
     except ZulipLDAPExceptionNoMatchingLDAPUser:
-        if settings.LDAP_DEACTIVATE_NON_MATCHING_USERS:
+        if (
+            settings.ONLY_LDAP
+            if settings.LDAP_DEACTIVATE_NON_MATCHING_USERS is None
+            else settings.LDAP_DEACTIVATE_NON_MATCHING_USERS
+        ):
             do_deactivate_user(user_profile)
             logger.info("Deactivated non-matching user: %s", user_profile.delivery_email)
             return True

zproject/default_settings.py

@@ -411,3 +411,6 @@ IS_DEV_DROPLET = False
 
 # Used by puppet/zulip_ops/files/cron.d/check_send_receive_time.
 NAGIOS_BOT_HOST = EXTERNAL_HOST
+
+# Automatically deactivate users not found by the AUTH_LDAP_USER_SEARCH query.
+LDAP_DEACTIVATE_NON_MATCHING_USERS: Optional[bool] = None

zproject/settings.py

@@ -935,10 +935,10 @@ POLL_TIMEOUT = 90 * 1000
 
 USING_APACHE_SSO = ('zproject.backends.ZulipRemoteUserBackend' in AUTHENTICATION_BACKENDS)
 
-if 'LDAP_DEACTIVATE_NON_MATCHING_USERS' not in vars():
+ONLY_LDAP = False
-    LDAP_DEACTIVATE_NON_MATCHING_USERS = (
+if len(AUTHENTICATION_BACKENDS) == 1 and (AUTHENTICATION_BACKENDS[0] ==
-        len(AUTHENTICATION_BACKENDS) == 1 and (AUTHENTICATION_BACKENDS[0] ==
+                                          "zproject.backends.ZulipLDAPAuthBackend"):
-                                               "zproject.backends.ZulipLDAPAuthBackend"))
+    ONLY_LDAP = True
 
 if len(AUTHENTICATION_BACKENDS) == 1 and (AUTHENTICATION_BACKENDS[0] ==
                                           "zproject.backends.ZulipRemoteUserBackend"):