Bug 467992: Login fails if the user's LDAP account is denied search in LDAP -…

Bug 467992: Login fails if the user's LDAP account is denied search in LDAP - Patch by Adam Batkin <adam@batkin.net> r/a=mkanat

Bug 467992: Login fails if the user's LDAP account is denied search in LDAP -…
100d27e8 · lpsolit%gmail.com · f170f68d · 100d27e8 · 100d27e8
Commit 100d27e8 authored Jan 05, 2010 by lpsolit%gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 6 deletions

LDAP.pm Bugzilla/Auth/Verify/LDAP.pm +28 -5

code-error.html.tmpl template/en/default/global/code-error.html.tmpl +5 -1

No files found.
--- a/Bugzilla/Auth/Verify/LDAP.pm
+++ b/Bugzilla/Auth/Verify/LDAP.pm
@@ -56,7 +56,7 @@ sub check_credentials {
    # just appending the Base DN to the uid isn't sufficient to get the
    # user's DN.  For servers which don't work this way, there will still
    # be no harm done.
-    $self->_bind_ldap_anonymously();
+    $self->_bind_ldap_for_search();

    # Now, we verify that the user exists, and get a LDAP Distinguished
    # Name for the user.
@@ -76,12 +76,35 @@ sub check_credentials {
    return { failure => AUTH_LOGINFAILED } if $pw_result->code;

    # And now we fill in the user's details.
+
+    # First try the search as the (already bound) user in question.
+    my $user_entry;
+    my $error_string;
    my $detail_result = $self->ldap->search(_bz_search_params($username));
+    if ($detail_result->code) {
+        # Stash away the original error, just in case
+        $error_string = $detail_result->error;
+    } else {
+        $user_entry = $detail_result->shift_entry;
+    }
+
+    # If that failed (either because the search failed, or returned no
+    # results) then try re-binding as the initial search user, but only
+    # if the LDAPbinddn parameter is set.
+    if (!$user_entry && Bugzilla->params->{"LDAPbinddn"}) {
+        $self->_bind_ldap_for_search();
+
+        $detail_result = $self->ldap->search(_bz_search_params($username));
+        if (!$detail_result->code) {
+            $user_entry = $detail_result->shift_entry;
+        }
+    }
+
+    # If we *still* don't have anything in $user_entry then give up.
    return { failure => AUTH_ERROR, error => "ldap_search_error",
-             details => {errstr => $detail_result->error, username => $username}
-    } if $detail_result->code;
+             details => {errstr => $error_string, username => $username}
+    } if !$user_entry;

-    my $user_entry = $detail_result->shift_entry;

    my $mail_attr = Bugzilla->params->{"LDAPmailattribute"};
    if ($mail_attr) {
@@ -128,7 +151,7 @@ sub _bz_search_params {
                      . Bugzilla->params->{"LDAPfilter"} . ')');
 }

-sub _bind_ldap_anonymously {
+sub _bind_ldap_for_search {
    my ($self) = @_;
    my $bind_result;
    if (Bugzilla->params->{"LDAPbinddn"}) {

--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -344,7 +344,11 @@
  [% ELSIF error == "ldap_search_error" %]
    An error occurred while trying to search LDAP for 
    &quot;[% username FILTER html %]&quot;: 
-   <code>[% errstr FILTER html %]</code>
+    [% IF errstr %]
+      <code>[% errstr FILTER html %]</code>
+    [% ELSE %]
+      Unable to find user in LDAP
+    [% END %]

  [% ELSIF error == "ldap_server_not_defined" %]
    The LDAP server for authentication has not been defined.