From f09628576905cd3eabbc5d3827aa3ebca2fabdd8 Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <r.haferkamp@opencloud.eu>
Date: Tue, 30 Sep 2025 14:28:48 +0200
Subject: [PATCH] feat(groups): Only allow the "null" driver for multi-tenant
 setups

---
 .woodpecker.star                           | 1 +
 services/groups/pkg/config/parser/parse.go | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/.woodpecker.star b/.woodpecker.star
index d3cb7e5fe..56e3616be 100644
--- a/.woodpecker.star
+++ b/.woodpecker.star
@@ -334,6 +334,7 @@ config = {
                 "GRAPH_LDAP_SERVER_UUID": True,
                 "GRAPH_LDAP_GROUP_CREATE_BASE_DN": "ou=custom,ou=groups,dc=opencloud,dc=eu",
                 "GRAPH_LDAP_REFINT_ENABLED": True,
+                "GROUPS_DRIVER": "null",
                 "FRONTEND_READONLY_USER_ATTRIBUTES": "user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments",
                 "OC_LDAP_SERVER_WRITE_ENABLED": False,
                 "OC_EXCLUDE_RUN_SERVICES": "idm",
diff --git a/services/groups/pkg/config/parser/parse.go b/services/groups/pkg/config/parser/parse.go
index 94dd50d23..493ca6bf2 100644
--- a/services/groups/pkg/config/parser/parse.go
+++ b/services/groups/pkg/config/parser/parse.go
@@ -2,6 +2,7 @@ package parser
 
 import (
 	"errors"
+	"fmt"
 
 	occfg "github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/shared"
@@ -38,6 +39,9 @@ func Validate(cfg *config.Config) error {
 		return shared.MissingJWTTokenError(cfg.Service.Name)
 	}
 
+	if cfg.Commons.MultiTenantEnabled && cfg.Driver != "null" {
+		return fmt.Errorf("Multi-tenant support is enabled. Only the 'null'-driver is supported by 'groups' service.")
+	}
 	if cfg.Drivers.LDAP.BindPassword == "" && cfg.Driver == "ldap" {
 		return shared.MissingLDAPBindPassword(cfg.Service.Name)
 	}