diff options
| author | lpsolit%gmail.com <> | 2010-01-05 09:32:53 +0100 |
|---|---|---|
| committer | lpsolit%gmail.com <> | 2010-01-05 09:32:53 +0100 |
| commit | 100d27e81e15f7bd8ebc1a892b238c4004d4486f (patch) | |
| tree | 71f0be1ac7e8bc03e3a6c661b9331b013f6b674e /Bugzilla/Auth | |
| parent | f170f68df81a531091578baca25c789076a3c467 (diff) | |
| download | bugzilla-100d27e81e15f7bd8ebc1a892b238c4004d4486f.tar.gz bugzilla-100d27e81e15f7bd8ebc1a892b238c4004d4486f.tar.xz | |
Bug 467992: Login fails if the user's LDAP account is denied search in LDAP - Patch by Adam Batkin <adam@batkin.net> r/a=mkanat
Diffstat (limited to 'Bugzilla/Auth')
| -rw-r--r-- | Bugzilla/Auth/Verify/LDAP.pm | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm index b5904301d..cdc802ca0 100644 --- a/Bugzilla/Auth/Verify/LDAP.pm +++ b/Bugzilla/Auth/Verify/LDAP.pm @@ -56,7 +56,7 @@ sub check_credentials { # just appending the Base DN to the uid isn't sufficient to get the # user's DN. For servers which don't work this way, there will still # be no harm done. - $self->_bind_ldap_anonymously(); + $self->_bind_ldap_for_search(); # Now, we verify that the user exists, and get a LDAP Distinguished # Name for the user. @@ -76,12 +76,35 @@ sub check_credentials { return { failure => AUTH_LOGINFAILED } if $pw_result->code; # And now we fill in the user's details. + + # First try the search as the (already bound) user in question. + my $user_entry; + my $error_string; my $detail_result = $self->ldap->search(_bz_search_params($username)); + if ($detail_result->code) { + # Stash away the original error, just in case + $error_string = $detail_result->error; + } else { + $user_entry = $detail_result->shift_entry; + } + + # If that failed (either because the search failed, or returned no + # results) then try re-binding as the initial search user, but only + # if the LDAPbinddn parameter is set. + if (!$user_entry && Bugzilla->params->{"LDAPbinddn"}) { + $self->_bind_ldap_for_search(); + + $detail_result = $self->ldap->search(_bz_search_params($username)); + if (!$detail_result->code) { + $user_entry = $detail_result->shift_entry; + } + } + + # If we *still* don't have anything in $user_entry then give up. return { failure => AUTH_ERROR, error => "ldap_search_error", - details => {errstr => $detail_result->error, username => $username} - } if $detail_result->code; + details => {errstr => $error_string, username => $username} + } if !$user_entry; - my $user_entry = $detail_result->shift_entry; my $mail_attr = Bugzilla->params->{"LDAPmailattribute"}; if ($mail_attr) { @@ -128,7 +151,7 @@ sub _bz_search_params { . Bugzilla->params->{"LDAPfilter"} . ')'); } -sub _bind_ldap_anonymously { +sub _bind_ldap_for_search { my ($self) = @_; my $bind_result; if (Bugzilla->params->{"LDAPbinddn"}) { |