Merge branch 'release_2.4.3' into stable

* release_2.4.3:
  Avoid packaging crankiness
  Update changelogs
  Update version for 2.4.3 release
  The default value for the allow_callbacks checkbox needs to be a boolean (true/false) and not a string ("true"/"false").  The string will always evaluate to false in the UI and be unchecked.
  Add sample config for LDAP connection options, disable referrals by default, prefetch user groups to reduce LDAP queries when checking group memberships.

awx/__init__.py

@@ -6,7 +6,7 @@ import sys
 import warnings
 import site
 
-__version__ = '2.4.2'
+__version__ = '2.4.3'
 
 __all__ = ['__version__']
 

awx/main/tests/users.py

@@ -929,7 +929,7 @@ class LdapTest(BaseTest):
         if not self.ldap_password:
             self.skipTest('no test LDAP password defined')
         # Set test LDAP settings that are always needed.
-        for name in ('SERVER_URI', 'BIND_DN', 'BIND_PASSWORD', 'USE_TLS'):
+        for name in ('SERVER_URI', 'BIND_DN', 'BIND_PASSWORD', 'USE_TLS', 'CONNECTION_OPTIONS'):
             self.use_test_setting(name)
 
     def check_login(self, username=None, password=None, should_fail=False):

awx/settings/defaults.py

@@ -4,6 +4,7 @@
 import os
 import re  # noqa
 import sys
+import ldap
 import djcelery
 from datetime import timedelta
 
@@ -231,6 +232,12 @@ AUTHENTICATION_BACKENDS = (
 # LDAP server (default to None to skip using LDAP authentication).
 AUTH_LDAP_SERVER_URI = None
 
+# Disable LDAP referrals by default (to prevent certain LDAP queries from
+# hanging with AD).
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}
+
 # Radius server settings (default to empty string to skip using Radius auth).
 RADIUS_SERVER = ''
 RADIUS_PORT = 1812

awx/settings/local_settings.py.docker_compose

@@ -167,6 +167,11 @@ LOGGING['handlers']['syslog'] = {
 # Refer to django-auth-ldap docs for more details:
 # http://pythonhosted.org/django-auth-ldap/authentication.html
 
+# Imports needed for LDAP configuration.
+import ldap
+from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
+from django_auth_ldap.config import ActiveDirectoryGroupType
+
 # LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
 # "ldaps://ldap.example.com:636" (SSL).  LDAP authentication is disable if this
 # parameter is empty.
@@ -183,10 +188,11 @@ AUTH_LDAP_BIND_PASSWORD = ''
 # Enable TLS when the connection is not using SSL.
 AUTH_LDAP_START_TLS = False
 
-# Imports needed for remaining LDAP configuration.
-import ldap
-from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
-from django_auth_ldap.config import ActiveDirectoryGroupType
+# Additional options to set for the LDAP connection.  LDAP referrals are
+# disabled by default (to prevent certain LDAP queries from hanging with AD).
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}
 
 # LDAP search query to find users.
 AUTH_LDAP_USER_SEARCH = LDAPSearch(
@@ -334,6 +340,9 @@ TEST_AUTH_LDAP_SERVER_URI = ''
 TEST_AUTH_LDAP_BIND_DN = ''
 TEST_AUTH_LDAP_BIND_PASSWORD = ''
 TEST_AUTH_LDAP_START_TLS = False
+TEST_AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}
 
 # LDAP username/password for testing authentication.
 TEST_AUTH_LDAP_USERNAME = ''

awx/settings/local_settings.py.example

@@ -165,6 +165,11 @@ LOGGING['handlers']['syslog'] = {
 # Refer to django-auth-ldap docs for more details:
 # http://pythonhosted.org/django-auth-ldap/authentication.html
 
+# Imports needed for LDAP configuration.
+import ldap
+from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
+from django_auth_ldap.config import ActiveDirectoryGroupType
+
 # LDAP server URI, such as "ldap://ldap.example.com:389" (non-SSL) or
 # "ldaps://ldap.example.com:636" (SSL).  LDAP authentication is disable if this
 # parameter is empty.
@@ -181,10 +186,11 @@ AUTH_LDAP_BIND_PASSWORD = ''
 # Enable TLS when the connection is not using SSL.
 AUTH_LDAP_START_TLS = False
 
-# Imports needed for remaining LDAP configuration.
-import ldap
-from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion
-from django_auth_ldap.config import ActiveDirectoryGroupType
+# Additional options to set for the LDAP connection.  LDAP referrals are
+# disabled by default (to prevent certain LDAP queries from hanging with AD).
+AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}
 
 # LDAP search query to find users.
 AUTH_LDAP_USER_SEARCH = LDAPSearch(
@@ -332,6 +338,9 @@ TEST_AUTH_LDAP_SERVER_URI = ''
 TEST_AUTH_LDAP_BIND_DN = ''
 TEST_AUTH_LDAP_BIND_PASSWORD = ''
 TEST_AUTH_LDAP_START_TLS = False
+TEST_AUTH_LDAP_CONNECTION_OPTIONS = {
+    ldap.OPT_REFERRALS: 0,
+}
 
 # LDAP username/password for testing authentication.
 TEST_AUTH_LDAP_USERNAME = ''

awx/sso/backends.py

@@ -199,6 +199,10 @@ def on_populate_user(sender, **kwargs):
     ldap_user = kwargs['ldap_user']
     backend = ldap_user.backend
 
+    # Prefetch user's groups to prevent LDAP queries for each org/team when
+    # checking membership.
+    ldap_user._get_groups().get_group_dns()
+
     # Update organization membership based on group memberships.
     org_map = getattr(backend.settings, 'ORGANIZATION_MAP', {})
     for org_name, org_opts in org_map.items():

awx/ui/client/src/controllers/JobTemplates.js

@@ -903,7 +903,7 @@ export function JobTemplatesEdit($filter, $scope, $rootScope, $compile, $locatio
             $scope.search(relatedSets[set].iterator);
         }
 
-        dft = ($scope.host_config_key === "" || $scope.host_config_key === null) ? 'false' : 'true';
+        dft = ($scope.host_config_key === "" || $scope.host_config_key === null) ? false : true;
         md5Setup({
             scope: $scope,
             master: master,