Add validation checks

that prevent the setting from being turned on if remote auth systems
and users are not already present.

awx/api/conf.py

@@ -1,8 +1,12 @@
 # Django
+from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 
+# Django REST Framework
+from rest_framework import serializers
+
 # AWX
-from awx.conf import fields, register
+from awx.conf import fields, register, register_validate
 from awx.api.fields import OAuth2ProviderField
 from oauth2_provider.settings import oauth2_settings
 
@@ -92,3 +96,27 @@ register(
     category=_('Authentication'),
     category_slug='authentication',
 )
+
+
+def authentication_validate(serializer, attrs):
+    from django.contrib.auth.models import User
+
+    remote_auth_settings = [
+        'AUTH_LDAP_SERVER_URI',
+        'SOCIAL_AUTH_GOOGLE_OAUTH2_KEY',
+        'SOCIAL_AUTH_GITHUB_KEY',
+        'SOCIAL_AUTH_GITHUB_ORG_KEY',
+        'SOCIAL_AUTH_GITHUB_TEAM_KEY',
+        'SOCIAL_AUTH_SAML_ENABLED_IDPS',
+        'RADIUS_SERVER',
+        'TACACSPLUS_HOST',
+    ]
+    if attrs.get('DISABLE_LOCAL_AUTH', False):
+        if not any(getattr(settings, s, None) for s in remote_auth_settings):
+            raise serializers.ValidationError(_("There are no remote authentication systems configured."))
+        if not User.objects.exclude(profile__ldap_dn='', enterprise_auth__isnull=True, social_auth__isnull=True).exists():
+            raise serializers.ValidationError(_("There are no remote users in the system."))
+    return attrs
+
+
+register_validate('authentication', authentication_validate)