From 7134aab05b80adf2cfa5b933f84a232c8e1eec37 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 14 May 2026 22:48:16 +1000
Subject: [PATCH] Fix #11832: Prevent TypeError by making LDAP group search
 conditional in settings (#11898) (#11944)

(cherry picked from commit 45d95142cc4ab4374f017b388e2331c953b1f07c)

Co-authored-by: Aditya Kumar Mishra <154746713+adityakrmishra@users.noreply.github.com>
---
 src/backend/InvenTree/InvenTree/settings.py | 33 +++++++++++++--------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/src/backend/InvenTree/InvenTree/settings.py b/src/backend/InvenTree/InvenTree/settings.py
index 444919d6b8..5103925482 100644
--- a/src/backend/InvenTree/InvenTree/settings.py
+++ b/src/backend/InvenTree/InvenTree/settings.py
@@ -517,20 +517,12 @@ if LDAP_AUTH:  # pragma: no cover
         'INVENTREE_LDAP_CACHE_TIMEOUT', 'ldap.cache_timeout', 3600, int
     )
 
-    AUTH_LDAP_MIRROR_GROUPS = get_boolean_setting(
-        'INVENTREE_LDAP_MIRROR_GROUPS', 'ldap.mirror_groups', False
-    )
     AUTH_LDAP_GROUP_OBJECT_CLASS = get_setting(
         'INVENTREE_LDAP_GROUP_OBJECT_CLASS',
         'ldap.group_object_class',
         'groupOfUniqueNames',
         str,
     )
-    AUTH_LDAP_GROUP_SEARCH = django_auth_ldap.config.LDAPSearch(
-        get_setting('INVENTREE_LDAP_GROUP_SEARCH', 'ldap.group_search'),
-        ldap.SCOPE_SUBTREE,
-        f'(objectClass={AUTH_LDAP_GROUP_OBJECT_CLASS})',
-    )
     AUTH_LDAP_GROUP_TYPE_CLASS = get_setting(
         'INVENTREE_LDAP_GROUP_TYPE_CLASS',
         'ldap.group_type_class',
@@ -546,9 +538,6 @@ if LDAP_AUTH:  # pragma: no cover
         {'name_attr': 'cn'},
         dict,
     )
-    AUTH_LDAP_GROUP_TYPE = getattr(django_auth_ldap.config, AUTH_LDAP_GROUP_TYPE_CLASS)(
-        *AUTH_LDAP_GROUP_TYPE_CLASS_ARGS, **AUTH_LDAP_GROUP_TYPE_CLASS_KWARGS
-    )
     AUTH_LDAP_REQUIRE_GROUP = get_setting(
         'INVENTREE_LDAP_REQUIRE_GROUP', 'ldap.require_group'
     )
@@ -559,7 +548,27 @@ if LDAP_AUTH:  # pragma: no cover
         default_value=None,
         typecast=dict,
     )
-    AUTH_LDAP_FIND_GROUP_PERMS = True
+
+    # Only configure group search and group permissions if a valid base DN is provided.
+    # Without this guard, passing None to LDAPSearch causes django-auth-ldap to crash
+    # with: TypeError: search_ext() argument 1 must be str, not None
+    # See: https://github.com/inventree/InvenTree/issues/11832
+    _ldap_group_search = get_setting('INVENTREE_LDAP_GROUP_SEARCH', 'ldap.group_search')
+    if _ldap_group_search:
+        AUTH_LDAP_GROUP_SEARCH = django_auth_ldap.config.LDAPSearch(
+            _ldap_group_search,
+            ldap.SCOPE_SUBTREE,
+            f'(objectClass={AUTH_LDAP_GROUP_OBJECT_CLASS})',
+        )
+        AUTH_LDAP_GROUP_TYPE = getattr(
+            django_auth_ldap.config, AUTH_LDAP_GROUP_TYPE_CLASS
+        )(*AUTH_LDAP_GROUP_TYPE_CLASS_ARGS, **AUTH_LDAP_GROUP_TYPE_CLASS_KWARGS)
+        AUTH_LDAP_MIRROR_GROUPS = get_boolean_setting(
+            'INVENTREE_LDAP_MIRROR_GROUPS', 'ldap.mirror_groups', False
+        )
+        AUTH_LDAP_FIND_GROUP_PERMS = True
+    else:
+        AUTH_LDAP_FIND_GROUP_PERMS = False
 
 # Allow secure http developer server in debug mode
 if DEBUG: