summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2010-01-05 09:32:53 +0100
committerlpsolit%gmail.com <>2010-01-05 09:32:53 +0100
commit100d27e81e15f7bd8ebc1a892b238c4004d4486f (patch)
tree71f0be1ac7e8bc03e3a6c661b9331b013f6b674e
parentf170f68df81a531091578baca25c789076a3c467 (diff)
downloadbugzilla-100d27e81e15f7bd8ebc1a892b238c4004d4486f.tar.gz
bugzilla-100d27e81e15f7bd8ebc1a892b238c4004d4486f.tar.xz
Bug 467992: Login fails if the user's LDAP account is denied search in LDAP - Patch by Adam Batkin <adam@batkin.net> r/a=mkanat
-rw-r--r--Bugzilla/Auth/Verify/LDAP.pm33
-rw-r--r--template/en/default/global/code-error.html.tmpl6
2 files changed, 33 insertions, 6 deletions
diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm
index b5904301d..cdc802ca0 100644
--- a/Bugzilla/Auth/Verify/LDAP.pm
+++ b/Bugzilla/Auth/Verify/LDAP.pm
@@ -56,7 +56,7 @@ sub check_credentials {
# just appending the Base DN to the uid isn't sufficient to get the
# user's DN. For servers which don't work this way, there will still
# be no harm done.
- $self->_bind_ldap_anonymously();
+ $self->_bind_ldap_for_search();
# Now, we verify that the user exists, and get a LDAP Distinguished
# Name for the user.
@@ -76,12 +76,35 @@ sub check_credentials {
return { failure => AUTH_LOGINFAILED } if $pw_result->code;
# And now we fill in the user's details.
+
+ # First try the search as the (already bound) user in question.
+ my $user_entry;
+ my $error_string;
my $detail_result = $self->ldap->search(_bz_search_params($username));
+ if ($detail_result->code) {
+ # Stash away the original error, just in case
+ $error_string = $detail_result->error;
+ } else {
+ $user_entry = $detail_result->shift_entry;
+ }
+
+ # If that failed (either because the search failed, or returned no
+ # results) then try re-binding as the initial search user, but only
+ # if the LDAPbinddn parameter is set.
+ if (!$user_entry && Bugzilla->params->{"LDAPbinddn"}) {
+ $self->_bind_ldap_for_search();
+
+ $detail_result = $self->ldap->search(_bz_search_params($username));
+ if (!$detail_result->code) {
+ $user_entry = $detail_result->shift_entry;
+ }
+ }
+
+ # If we *still* don't have anything in $user_entry then give up.
return { failure => AUTH_ERROR, error => "ldap_search_error",
- details => {errstr => $detail_result->error, username => $username}
- } if $detail_result->code;
+ details => {errstr => $error_string, username => $username}
+ } if !$user_entry;
- my $user_entry = $detail_result->shift_entry;
my $mail_attr = Bugzilla->params->{"LDAPmailattribute"};
if ($mail_attr) {
@@ -128,7 +151,7 @@ sub _bz_search_params {
. Bugzilla->params->{"LDAPfilter"} . ')');
}
-sub _bind_ldap_anonymously {
+sub _bind_ldap_for_search {
my ($self) = @_;
my $bind_result;
if (Bugzilla->params->{"LDAPbinddn"}) {
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index e851a00d9..2c2eb9891 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -344,7 +344,11 @@
[% ELSIF error == "ldap_search_error" %]
An error occurred while trying to search LDAP for
&quot;[% username FILTER html %]&quot;:
- <code>[% errstr FILTER html %]</code>
+ [% IF errstr %]
+ <code>[% errstr FILTER html %]</code>
+ [% ELSE %]
+ Unable to find user in LDAP
+ [% END %]
[% ELSIF error == "ldap_server_not_defined" %]
The LDAP server for authentication has not been defined.