From 2717742bd2a66a2757c5e7c2208fd221f9d2c49e Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Fri, 5 Feb 2021 15:17:20 +0100 Subject: [PATCH] sources/ldap: don't remove users from group which were not synced from AD --- authentik/sources/ldap/sync/membership.py | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/authentik/sources/ldap/sync/membership.py b/authentik/sources/ldap/sync/membership.py index 6fe6af870..0fedf793f 100644 --- a/authentik/sources/ldap/sync/membership.py +++ b/authentik/sources/ldap/sync/membership.py @@ -4,6 +4,7 @@ from typing import Any, Optional import ldap3 import ldap3.core.exceptions +from django.db.models import Q from authentik.core.models import Group, User from authentik.sources.ldap.auth import LDAP_DISTINGUISHED_NAME from authentik.sources.ldap.models import LDAPSource @@ -36,13 +37,17 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer): members = group.get("attributes", {}).get( self._source.group_membership_field, [] ) - users = User.objects.filter( - **{f"attributes__{LDAP_DISTINGUISHED_NAME}__in": members} - ) - ak_group = self.get_group(group) if not ak_group: continue + + users = User.objects.filter( + Q(**{f"attributes__{LDAP_DISTINGUISHED_NAME}__in": members}) | + Q(**{ + f"attributes__{LDAP_DISTINGUISHED_NAME}__isnull": True, + "ak_groups__in": [ak_group] + }) + ) membership_count += 1 membership_count += users.count() ak_group.users.set(users)