graph: new config option GRAPH_LDAP_GROUP_CREATE_BASE_DN

By setting GRAPH_LDAP_GROUP_CREATE_BASE_DN a distinct subtree can be configured where new LDAP groups are created. That subtree needs to be subordinate to GRAPH_LDAP_GROUP_BASE_DN. All groups outside for GRAPH_LDAP_GROUP_CREATE_BASE_DN are considered read-only and only groups below that DN can be updated and deleted. This is introduced for a pretty specific usecase where most groups are managed in an external source (e.g. a read-only replica of an LDAP tree). But we still want to allow the local administrator to create groups in a writeable subtree attached to that replica.
2026-04-25 17:25:21 +02:00 · 2023-03-30 17:31:14 +02:00
parent 65a3fc09ca
commit 120887abcc
9 changed files with 216 additions and 36 deletions
--- a/services/graph/pkg/service/v0/groups.go
+++ b/services/graph/pkg/service/v0/groups.go
@@ -82,8 +82,13 @@ func (g Graph) PostGroup(w http.ResponseWriter, r *http.Request) {
 	}

 	if grp, err = g.identityBackend.CreateGroup(r.Context(), *grp); err != nil {
-		logger.Debug().Interface("group", grp).Msg("could not create group: backend error")
-		errorcode.GeneralException.Render(w, r, http.StatusInternalServerError, err.Error())
+		var errcode errorcode.Error
+		if errors.As(err, &errcode) {
+			errcode.Render(w, r)
+		} else {
+			logger.Debug().Interface("group", grp).Msg("could not create group: backend error")
+			errorcode.GeneralException.Render(w, r, http.StatusInternalServerError, err.Error())
+		}
 		return
 	}