From b45f2ed0e878253261c9303533bb7ab47967535e Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik.i.sundell@gmail.com>
Date: Mon, 23 Sep 2024 13:17:00 +0200
Subject: [PATCH 1/2] Ensure lookup_dn or bind_dn_template is configured on
 startup

---
 ldapauthenticator/ldapauthenticator.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
index 41380d1..468475e 100644
--- a/ldapauthenticator/ldapauthenticator.py
+++ b/ldapauthenticator/ldapauthenticator.py
@@ -155,6 +155,14 @@ def _validate_bind_dn_template(self, proposal):
             rv = [e for e in rv if e]
         return rv
 
+    @observe("lookup_dn", "bind_dn_template")
+    def _require_either_lookup_dn_or_bind_dn_template(self, change):
+        if not self.lookup_dn and not self.bind_dn_template:
+            raise ValueError(
+                "LDAPAuthenticator requires either lookup_dn or "
+                "bind_dn_template to be configured"
+            )
+
     allowed_groups = List(
         config=True,
         allow_none=True,
@@ -541,13 +549,6 @@ async def authenticate(self, handler, data):
             )
             return None
 
-        # sanity check
-        if not self.lookup_dn and not self.bind_dn_template:
-            self.log.warning(
-                "Login not allowed, please configure 'lookup_dn' or 'bind_dn_template'."
-            )
-            return None
-
         bind_dn_template = self.bind_dn_template
         resolved_username = login_username
         if self.lookup_dn:

From 7d62e1cd271119cea0aa66e5b5202749e33195f0 Mon Sep 17 00:00:00 2001
From: Erik Sundell <erik.i.sundell@gmail.com>
Date: Mon, 23 Sep 2024 13:18:23 +0200
Subject: [PATCH 2/2] Ensure allowed_groups is configured along with
 group_search_filter etc

---
 ldapauthenticator/ldapauthenticator.py | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/ldapauthenticator/ldapauthenticator.py b/ldapauthenticator/ldapauthenticator.py
index 468475e..0b6065f 100644
--- a/ldapauthenticator/ldapauthenticator.py
+++ b/ldapauthenticator/ldapauthenticator.py
@@ -200,6 +200,16 @@ def _require_either_lookup_dn_or_bind_dn_template(self, change):
         help="List of attributes to be searched",
     )
 
+    @observe("allowed_groups", "group_search_filter", "group_attributes")
+    def _ensure_allowed_groups_requirements(self, change):
+        if not self.allowed_groups:
+            return
+        if not self.group_search_filter or not self.group_attributes:
+            raise ValueError(
+                "LDAPAuthenticator.allowed_groups requires both "
+                "group_search_filter and group_attributes to be configured"
+            )
+
     valid_username_regex = Unicode(
         r"^[a-z][.a-z0-9_-]*$",
         config=True,
@@ -607,11 +617,6 @@ async def authenticate(self, handler, data):
 
         ldap_groups = []
         if self.allowed_groups:
-            if not self.group_search_filter or not self.group_attributes:
-                self.log.warning(
-                    "Missing group_search_filter or group_attributes. Both are required."
-                )
-                return None
             self.log.debug("username:%s Using dn %s", resolved_username, userdn)
             for group in self.allowed_groups:
                 found = conn.search(