sources/ldap: check if we need to connect to ldap before connecting

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

authentik/sources/ldap/password.py

@@ -49,6 +49,11 @@ def __init__(self, source: LDAPSource) -> None:
         self._source = source
         self._connection = source.connection()
 
+    @staticmethod
+    def should_check_user(user: User) -> bool:
+        """Check if the user has LDAP parameters and needs to be checked"""
+        return LDAP_DISTINGUISHED_NAME in user.attributes
+
     def get_domain_root_dn(self) -> str:
         """Attempt to get root DN via MS specific fields or generic LDAP fields"""
         info = self._connection.server.info

authentik/sources/ldap/signals.py

@@ -41,11 +41,12 @@ def ldap_password_validate(sender, password: str, plan_context: dict[str, Any],
     if not sources.exists():
         return
     source = sources.first()
+    user = plan_context.get(PLAN_CONTEXT_PENDING_USER, None)
+    if user and not LDAPPasswordChanger.should_check_user(user):
+        return
     changer = LDAPPasswordChanger(source)
     if changer.check_ad_password_complexity_enabled():
-        passing = changer.ad_password_complexity(
-            password, plan_context.get(PLAN_CONTEXT_PENDING_USER, None)
-        )
+        passing = changer.ad_password_complexity(password, user)
         if not passing:
             raise ValidationError(_("Password does not match Active Directory Complexity."))
 
@@ -57,6 +58,8 @@ def ldap_sync_password(sender, user: User, password: str, **_):
     if not sources.exists():
         return
     source = sources.first()
+    if not LDAPPasswordChanger.should_check_user(user):
+        return
     try:
         changer = LDAPPasswordChanger(source)
         changer.change_password(user, password)