Improve LDAP lookup of user groups

web/__init__.py

@@ -16,6 +16,7 @@ def create_app(test_config=None):
         'ldap_user': '',
         'ldap_pass': '',
         'ldap_base_dn': '',
+        'user_group': '',
         'oidc_tenant': '',
         'oidc_client_id': '',
         'oidc_client_secret': '',

web/system.py

@@ -58,12 +58,15 @@ def save_config():
         user_networks = collections.defaultdict(set)
         ldap = ldap3.Connection(ldap3.Server(settings.get('ldap_host'), use_ssl=True),
                 settings.get('ldap_user'), settings.get('ldap_pass'), auto_bind=True)
-        for group, network in groups.items():
+        ldap.search(settings.get('ldap_base_dn', ''),
-            ldap.search(settings.get('ldap_base_dn', ''),
+                    '(&(objectClass=user)(objectCategory=person)' + # only people
-                        f'(distinguishedName={group})', attributes='member')
+                    '(!(userAccountControl:1.2.840.113556.1.4.803:=2))' + # with enabled accounts
-            if ldap.entries:
+                    f'(memberOf:1.2.840.113556.1.4.1941:={settings.get("user_group", "")}))', # in given group, recursively
-                for user in ldap.entries[0]['member']:
+                    attributes=['userPrincipalName', 'memberOf'])
-                    user_networks[user].add(network)
+        for entry in ldap.entries:
+            for group in entry.memberOf:
+                if group in groups:
+                    user_networks[entry.userPrincipalName.value].add(groups[group])
 
         # Now read the settings again and lock the database while generating
         # config files, then increment version before unlocking.