Move user password verification after checking his groups on ldap auth (#19587)

In case the binded user can not access its own attributes.

Signed-off-by: Gwilherm Folliot <gwilherm55fo@gmail.com>

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
Gwilherm Folliot 2022-05-03 14:41:11 +02:00 committed by GitHub
parent 772ad761eb
commit b7abb31b7b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -433,14 +433,6 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
isRestricted = checkRestricted(l, ls, userDN) isRestricted = checkRestricted(l, ls, userDN)
} }
if !directBind && ls.AttributesInBind {
// binds user (checking password) after looking-up attributes in BindDN context
err = bindUser(l, userDN, passwd)
if err != nil {
return nil
}
}
if isAtributeAvatarSet { if isAtributeAvatarSet {
Avatar = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatar) Avatar = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatar)
} }
@ -451,6 +443,14 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
teamsToAdd, teamsToRemove = ls.getMappedMemberships(l, uid) teamsToAdd, teamsToRemove = ls.getMappedMemberships(l, uid)
} }
if !directBind && ls.AttributesInBind {
// binds user (checking password) after looking-up attributes in BindDN context
err = bindUser(l, userDN, passwd)
if err != nil {
return nil
}
}
return &SearchResult{ return &SearchResult{
LowerName: strings.ToLower(username), LowerName: strings.ToLower(username),
Username: username, Username: username,