LDAP design issues - fix proposals

[kkthxbye-code]

This topic is to gather feedback and suggestions as to how to fix the sub-optimal LDAP implementation we currently have in netbox.

API requests always loads both user and groups from AD on every request

Issues: #6926

The only check before loading the user from LDAP is here:

https://github.com/netbox-community/netbox/blob/develop/netbox/netbox/api/authentication.py#L28-L37

This means that if the LDAP backend is activated the user and its groups are always reloaded from AD, both for "local" and LDAP users and even if AUTH_LDAP_FIND_GROUP_PERMS is disabled.

An easy band-aid fix for cases where AUTH_LDAP_FIND_GROUP_PERMS is disabled in favor of AUTH_LDAP_MIRROR_GROUPS could look like this:

        # When LDAP authentication is active try to load user data from LDAP directory
        if settings.REMOTE_AUTH_BACKEND == 'netbox.authentication.LDAPBackend':
            from netbox.authentication import LDAPBackend
            ldap_backend = LDAPBackend()

            # It's only necessary to load from AD if FIND_GROUP_PERMS is active
            if ldap_backend.settings.FIND_GROUP_PERMS:
                user = ldap_backend.populate_user(token.user.username)
                # If the user is found in the LDAP directory use it, if not fallback to the local user
                if user:
                    return user, token

        return token.user, token

The drawback with this solution is that the users group memberships are only updated when a login is performed in the web ui.

The second issue is that when the user is requested with populate_user, the cache in django-auth-ldap doesn't seem to function at all, so all requests hit the AD server. I'm not sure how to fix that part.

Another good feature that would help with both issues would be to add a distinction between "local" users and LDAP created users. Currently there is no reliable way I have found to distinguish between the two. If a flag was added, we could skip all LDAP flows for local accounts.

@cimnine @jeremystretch @tobiasge - Do you have any thoughts on this?

As an aside, what is the intended way that AUTH_LDAP_MIRROR_GROUPS and AUTH_LDAP_FIND_GROUP_PERMS should interact? Both can be active at the same time, but should AUTH_LDAP_MIRROR_GROUPS take precedence and local group assignments be ignored, or should they be merged?

The fix in #7676 could be improved if we ignore local group assignments if AUTH_LDAP_FIND_GROUP_PERMS is active.