From 08c879249bd94d2773c46df939283034fe4d2cf7 Mon Sep 17 00:00:00 2001
From: Thomas Gelf <thomas@gelf.net>
Date: Tue, 18 Dec 2018 11:59:56 +0100
Subject: [PATCH] Auth: do not ask for unrelated group membership

If a specific User-Backend has been assigned to a Group Backend, and
the User has been authenticated by another User-Backend, then there is
no need to ask the unrelated Groups Backend for membership.
---
 library/Icinga/Authentication/Auth.php | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/library/Icinga/Authentication/Auth.php b/library/Icinga/Authentication/Auth.php
index 67a148678..e726f1b3a 100644
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@@ -139,7 +139,20 @@ class Auth
         $this->getResponse()->setReloadCss(true);
         $user->setPreferences($preferences);
         $groups = $user->getGroups();
+        $userBackendName = $user->getAdditional('backend_name');
         foreach (Config::app('groups') as $name => $config) {
+            $groupsUserBackend = $config->user_backend;
+            if ($groupsUserBackend
+                && $groupsUserBackend !== 'none'
+                && $userBackendName !== null
+                && $groupsUserBackend !== $userBackendName
+            ) {
+                // Do not ask for Group membership if a specific User Backend
+                // has been assigned to that Group Backend, and the user has
+                // been authenticated by another User Backend
+                continue;
+            }
+
             try {
                 $groupBackend = UserGroupBackend::create($name, $config);
                 $groupsFromBackend = $groupBackend->getMemberships($user);