Don't fetch LDAP user and groups on all API request when FIND_GROUP_PERMS is disabled #7751
Description
NetBox version
V3.0.9
Feature type
Change to existing functionality
Proposed functionality
Currently when using the LDAP backend for authentication, the AD is queried on every API request, regardless of other settings and regardless if the user is local or has been created by the LDAP backend. Additionally the LDAP cache built into django-auth-ldap does not function when using populate_user.
As the user is not actually authenticated against the AD when using the API (the token is used), I propose that the local user and it's group assignments are used when FIND_GROUP_PERMISSIONS is disabled.
I have a change ready for pull request if the issue is accepted.
For more info, please see the discussion I created: #7708
This issue would also partly fix #6926 - it will not fix the caching, but the user who reported the issue is not using FIND_GROUP_PERMISSIONS.
Use case
The end goal is vastly improved API performance when using the LDAP backend in most cases.
The above changes will result in the following changes for users:
Not using the LDAP backend:
No changes
FIND_GROUP_PERMS = True:
No changes
MIRROR_GROUPS = True and FIND_GROUP_PERMS = True:
No changes
MIRROR_GROUPS = True and FIND_GROUP_PERMS = False:
Local user and group assignments will be used when calling the API and the user and groups are never reloaded from the LDAP server during API calls. This means that LDAP users utilizing the API will have to login to the web ui to update group memberships. The change also allows one to use locally created users to call the API with querying the LDAP server.
MIRROR_GROUPS = False and FIND_GROUP_PERMS = False:
The user performing the API request has to be locally assigned groups or have local user object permissions.
Database changes
No database changes
External dependencies
No response