From 5f89d18df66f94f2ca839daa6dbe9b9389cce353 Mon Sep 17 00:00:00 2001
From: Peter Marschall <peter@adpm.de>
Date: Fri, 19 Sep 2025 18:06:50 +0200
Subject: [PATCH] LDAP auth: move evaluation of quirk for Authentik where it
 belongs

The evaluation of the quirk for the Authentik LDAP server changes the behaviour
of Python's `ldap3` module, and that module only.
Evaluating the quirk in `__init__` which is used for both, `ldap` and `ldap3`
is thus wrong, and may lead to errors when this setting is used together with
the `ldap` module.

Signed-off-by: Peter Marschall <peter@adpm.de>
---
 radicale/auth/ldap.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py
index ababe16a..94640f33 100644
--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@@ -88,9 +88,6 @@ class Auth(auth.BaseAuth):
                 raise RuntimeError("LDAP authentication requires the ldap3 module") from e
 
         self._ldap_ignore_attribute_create_modify_timestamp = configuration.get("auth", "ldap_ignore_attribute_create_modify_timestamp")
-        if self._ldap_ignore_attribute_create_modify_timestamp:
-            logger.info("auth.ldap_ignore_attribute_create_modify_timestamp will be applied")
-
         self._ldap_uri = configuration.get("auth", "ldap_uri")
         self._ldap_base = configuration.get("auth", "ldap_base")
         self._ldap_reader_dn = configuration.get("auth", "ldap_reader_dn")
@@ -165,6 +162,8 @@ class Auth(auth.BaseAuth):
                 logger.info("auth.ldap_ssl_ca_file     : %r" % self._ldap_ssl_ca_file)
             else:
                 logger.info("auth.ldap_ssl_ca_file     : (not provided)")
+        if self._ldap_ignore_attribute_create_modify_timestamp:
+            logger.info("auth.ldap_ignore_attribute_create_modify_timestamp applied (relevant for ldap3 only)")
         """Extend attributes to to be returned in the user query"""
         if self._ldap_groups_attr:
             self._ldap_attributes.append(self._ldap_groups_attr)
@@ -258,9 +257,10 @@ class Auth(auth.BaseAuth):
             return ""
 
     def _login3(self, login: str, password: str) -> str:
-        """Connect the server"""
         if self._ldap_ignore_attribute_create_modify_timestamp:
             self.ldap3.utils.config._ATTRIBUTES_EXCLUDED_FROM_CHECK.extend(['createTimestamp', 'modifyTimestamp'])
+
+        """Connect the server"""
         try:
             logger.debug(f"_login3 {self._ldap_uri}, {self._ldap_reader_dn}")
             if self._use_encryption: