Commit 100d27e8 authored by lpsolit%gmail.com's avatar lpsolit%gmail.com

Bug 467992: Login fails if the user's LDAP account is denied search in LDAP -…

Bug 467992: Login fails if the user's LDAP account is denied search in LDAP - Patch by Adam Batkin <adam@batkin.net> r/a=mkanat
parent f170f68d
...@@ -56,7 +56,7 @@ sub check_credentials { ...@@ -56,7 +56,7 @@ sub check_credentials {
# just appending the Base DN to the uid isn't sufficient to get the # just appending the Base DN to the uid isn't sufficient to get the
# user's DN. For servers which don't work this way, there will still # user's DN. For servers which don't work this way, there will still
# be no harm done. # be no harm done.
$self->_bind_ldap_anonymously(); $self->_bind_ldap_for_search();
# Now, we verify that the user exists, and get a LDAP Distinguished # Now, we verify that the user exists, and get a LDAP Distinguished
# Name for the user. # Name for the user.
...@@ -76,12 +76,35 @@ sub check_credentials { ...@@ -76,12 +76,35 @@ sub check_credentials {
return { failure => AUTH_LOGINFAILED } if $pw_result->code; return { failure => AUTH_LOGINFAILED } if $pw_result->code;
# And now we fill in the user's details. # And now we fill in the user's details.
# First try the search as the (already bound) user in question.
my $user_entry;
my $error_string;
my $detail_result = $self->ldap->search(_bz_search_params($username)); my $detail_result = $self->ldap->search(_bz_search_params($username));
if ($detail_result->code) {
# Stash away the original error, just in case
$error_string = $detail_result->error;
} else {
$user_entry = $detail_result->shift_entry;
}
# If that failed (either because the search failed, or returned no
# results) then try re-binding as the initial search user, but only
# if the LDAPbinddn parameter is set.
if (!$user_entry && Bugzilla->params->{"LDAPbinddn"}) {
$self->_bind_ldap_for_search();
$detail_result = $self->ldap->search(_bz_search_params($username));
if (!$detail_result->code) {
$user_entry = $detail_result->shift_entry;
}
}
# If we *still* don't have anything in $user_entry then give up.
return { failure => AUTH_ERROR, error => "ldap_search_error", return { failure => AUTH_ERROR, error => "ldap_search_error",
details => {errstr => $detail_result->error, username => $username} details => {errstr => $error_string, username => $username}
} if $detail_result->code; } if !$user_entry;
my $user_entry = $detail_result->shift_entry;
my $mail_attr = Bugzilla->params->{"LDAPmailattribute"}; my $mail_attr = Bugzilla->params->{"LDAPmailattribute"};
if ($mail_attr) { if ($mail_attr) {
...@@ -128,7 +151,7 @@ sub _bz_search_params { ...@@ -128,7 +151,7 @@ sub _bz_search_params {
. Bugzilla->params->{"LDAPfilter"} . ')'); . Bugzilla->params->{"LDAPfilter"} . ')');
} }
sub _bind_ldap_anonymously { sub _bind_ldap_for_search {
my ($self) = @_; my ($self) = @_;
my $bind_result; my $bind_result;
if (Bugzilla->params->{"LDAPbinddn"}) { if (Bugzilla->params->{"LDAPbinddn"}) {
......
...@@ -344,7 +344,11 @@ ...@@ -344,7 +344,11 @@
[% ELSIF error == "ldap_search_error" %] [% ELSIF error == "ldap_search_error" %]
An error occurred while trying to search LDAP for An error occurred while trying to search LDAP for
&quot;[% username FILTER html %]&quot;: &quot;[% username FILTER html %]&quot;:
<code>[% errstr FILTER html %]</code> [% IF errstr %]
<code>[% errstr FILTER html %]</code>
[% ELSE %]
Unable to find user in LDAP
[% END %]
[% ELSIF error == "ldap_server_not_defined" %] [% ELSIF error == "ldap_server_not_defined" %]
The LDAP server for authentication has not been defined. The LDAP server for authentication has not been defined.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment