diff options
| author | lpsolit%gmail.com <> | 2010-01-05 09:32:53 +0100 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2010-01-05 09:32:53 +0100 |
| commit | 100d27e81e15f7bd8ebc1a892b238c4004d4486f (patch) | |
| tree | 71f0be1ac7e8bc03e3a6c661b9331b013f6b674e | |
| parent | f170f68df81a531091578baca25c789076a3c467 (diff) | |
| download | bugzilla-100d27e81e15f7bd8ebc1a892b238c4004d4486f.tar.gz bugzilla-100d27e81e15f7bd8ebc1a892b238c4004d4486f.tar.xz | |
Bug 467992: Login fails if the user's LDAP account is denied search in LDAP - Patch by Adam Batkin <adam@batkin.net> r/a=mkanat
| -rw-r--r-- | Bugzilla/Auth/Verify/LDAP.pm | 33 | ||||
| -rw-r--r-- | template/en/default/global/code-error.html.tmpl | 6 |
2 files changed, 33 insertions, 6 deletions
diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm index b5904301d..cdc802ca0 100644 --- a/Bugzilla/Auth/Verify/LDAP.pm +++ b/Bugzilla/Auth/Verify/LDAP.pm @@ -56,7 +56,7 @@ sub check_credentials { # just appending the Base DN to the uid isn't sufficient to get the # user's DN. For servers which don't work this way, there will still # be no harm done. - $self->_bind_ldap_anonymously(); + $self->_bind_ldap_for_search(); # Now, we verify that the user exists, and get a LDAP Distinguished # Name for the user. @@ -76,12 +76,35 @@ sub check_credentials { return { failure => AUTH_LOGINFAILED } if $pw_result->code; # And now we fill in the user's details. + + # First try the search as the (already bound) user in question. + my $user_entry; + my $error_string; my $detail_result = $self->ldap->search(_bz_search_params($username)); + if ($detail_result->code) { + # Stash away the original error, just in case + $error_string = $detail_result->error; + } else { + $user_entry = $detail_result->shift_entry; + } + + # If that failed (either because the search failed, or returned no + # results) then try re-binding as the initial search user, but only + # if the LDAPbinddn parameter is set. + if (!$user_entry && Bugzilla->params->{"LDAPbinddn"}) { + $self->_bind_ldap_for_search(); + + $detail_result = $self->ldap->search(_bz_search_params($username)); + if (!$detail_result->code) { + $user_entry = $detail_result->shift_entry; + } + } + + # If we *still* don't have anything in $user_entry then give up. return { failure => AUTH_ERROR, error => "ldap_search_error", - details => {errstr => $detail_result->error, username => $username} - } if $detail_result->code; + details => {errstr => $error_string, username => $username} + } if !$user_entry; - my $user_entry = $detail_result->shift_entry; my $mail_attr = Bugzilla->params->{"LDAPmailattribute"}; if ($mail_attr) { @@ -128,7 +151,7 @@ sub _bz_search_params { . Bugzilla->params->{"LDAPfilter"} . ')'); } -sub _bind_ldap_anonymously { +sub _bind_ldap_for_search { my ($self) = @_; my $bind_result; if (Bugzilla->params->{"LDAPbinddn"}) { diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index e851a00d9..2c2eb9891 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -344,7 +344,11 @@ [% ELSIF error == "ldap_search_error" %] An error occurred while trying to search LDAP for "[% username FILTER html %]": - <code>[% errstr FILTER html %]</code> + [% IF errstr %] + <code>[% errstr FILTER html %]</code> + [% ELSE %] + Unable to find user in LDAP + [% END %] [% ELSIF error == "ldap_server_not_defined" %] The LDAP server for authentication has not been defined. |