Major Customer has pointed out that in the documentation:
[LDAP configuration fields](https://docs.redhat.com/en/documentation/red_hat_quay/3.15/html/configure_red_hat_quay/config-fields-optional-intro#config-fields-ldap)
When set, grants users of this list read access to all repositories, regardless of whether they are public repositories. Only works for those superusers defined with the LDAP_SUPERUSER_FILTER configuration field.
based on this code snippet:
query = self._add_user_filter(query)
if filter_restricted_users:
if not self._ldap_restricted_user_filter:
return (None, "Username not found")
query = self._add_restricted_user_filter(query)
elif filter_superusers:
if not self._ldap_superuser_filter:
return (None, "Superuser username not found")
query = self._add_superuser_filter(query)
elif filter_global_readonly_superusers:
if not self._ldap_global_readonly_superuser_filter:
return (None, "Global readonly superuser username not found")
query = self._add_global_readonly_superuser_filter(query)
[quay/data/users/externalldap.py](https://github.com/quay/quay/blob/a092721b7394aa4844d82599a818e69a5707c065/data/users/externalldap.py#L235)
it would suggest that quay is looking for either a restricted_user, a superuser, or a global read-only superuser and that global read-only superuser does not need to be a full superuser. If this is the case then the documentation should be updated to remove the dependency.