sources/ldap: don't remove users from group which were not synced from AD

2021-02-05 15:17:20 +01:00 · 2021-02-05 15:17:20 +01:00 · 2717742bd2
parent ef70e93bbd
commit 2717742bd2
1 changed files with 9 additions and 4 deletions
--- a/authentik/sources/ldap/sync/membership.py
+++ b/authentik/sources/ldap/sync/membership.py
@ -4,6 +4,7 @@ from typing import Any, Optional
 import ldap3
 import ldap3.core.exceptions

+from django.db.models import Q
 from authentik.core.models import Group, User
 from authentik.sources.ldap.auth import LDAP_DISTINGUISHED_NAME
 from authentik.sources.ldap.models import LDAPSource
@ -36,13 +37,17 @@ class MembershipLDAPSynchronizer(BaseLDAPSynchronizer):
            members = group.get("attributes", {}).get(
                self._source.group_membership_field, []
            )
-            users = User.objects.filter(
-                **{f"attributes__{LDAP_DISTINGUISHED_NAME}__in": members}
-            )
-
            ak_group = self.get_group(group)
            if not ak_group:
                continue
+
+            users = User.objects.filter(
+                Q(**{f"attributes__{LDAP_DISTINGUISHED_NAME}__in": members}) |
+                Q(**{
+                    f"attributes__{LDAP_DISTINGUISHED_NAME}__isnull": True,
+                    "ak_groups__in": [ak_group]
+                })
+            )
            membership_count += 1
            membership_count += users.count()
            ak_group.users.set(users)