Currently there are two mechanism implemented to create users via LDAP: using a batch sync (ldap.ldapSyncOnStartup and ldap.ldapSyncCronSync) and on-the-fly when the users logs in. While the first can be configured and turned off, the latter on-demand mechanism does always work and can not be disabled.
The goal of this issue is to make the on-the-fly user creation optional as well. A new property is implemented:
When set to true, users that do not exist in the OpenOLAT database will be created and synchronized when the log in the first time and successfully authenticate against the LDAP server.
When set to false, users that doe not exist in the OpenOLAT database will not be create and not be synchronized even when successfully authenticating against the LDAP server.
When set to false, existing users that are not marked as LDAP users are still converted when the flag convertExistingLocalUsersToLDAPUsers is set to true. This is particularly useful when users are created using the REST API together with course assignments etc. and the authentication is still delegated to the LDAP server.