Synchronizing and adding LDAP users to groups

We recently upgraded from 1.2 to 2.3.
Everything seems to work fine but the LDAP layer changed a bit and we have some trouble.
The users are authenticated properly from the LDAP database and the search seems to work as expected.

However there’s a few things I do not understand.

Indico seems to interpret the “external” users in the search as any user not present in the postgres database. We didn’t test it yet but my understanding is that the user is added to the database when they log in for the first time.

However, we manage groups as local indico groups and we would like to add a user that did not yet login to one of the indico local groups.

Assume there is a user E that is external and has not logged in yet.
We do not see it in the search button for adding a member to a group.
We can search in the Users menu for external users and we see him greyed out as in the attached picture (the first user in blue is in the database already, the latter in grey is not).
We do not want to create a local user for each ldap user. One cannot select such user to add him to the database, or at least I see no button to do that.

So my question is, is there a way to add such users without asking them to login?
They have a specific objectClass in the LDAP database (see filter in the attached config chunk), so it could be done with some code. But before writing some custom hack I’d like to understand whether this is possible in Indico or we are doing something wrong with the config. I also attach the config text.

We do not allow users to create local accounts.

In the attached config I changed title: ‘User’ because I wanted it to show up as such in the login form instead of “LDAP”. I don’t know if this affects anything. (681 Bytes)

There is no builtin way to add users who haven’t logged in to Indico yet to a local group. Might be easy to change in the code though, since it’s basically just a setting on the form fields in the python code whether to allow creating “pending” users or not:

Try replacing this line:

with this:

members = PrincipalListField(_('Group members'), allow_external_users=True)

Then you should be able to search for external users when adding people to the group. Feel free to send a PR against the 2.3-maintenance branch if that works.

Thanks for the reply, we’ll give it a try!

So regarding the question whether it makes sense to pre-populate the database, you seems to suggest is preferrable not to do. Maybe we try add the feature somewhere if you point me at the relevant code.

Actually what we were hoping for was a scripted way of doing it for a bulk number of users, which may include also removing them from the database eventually. Some kind of sync script we run externally with cron, or is ran as some automated task in some other way… I guess eventually we can look a the code that adds the user when they login.


There is no ldap sync feature since we do not want to spam the database with possibly loads of users that then don’t ever log in.

Have you considered managing groups via LDAP as well? I think this would avoid all these problems…

Well, the point was also to remove such users, not just dump them all there forever…

We cannot use our LDAP for group management as it is not intended to be managed by multiple users at the moment. It is temporarily bridging some other user database.
Currently we do not even know for how long it will be maintained.

Anyway thanks for your comments. We will keep you updated if the suggested patch for group addition works, I can send the PR if it works well.