Bug 467992: Login fails if the user's LDAP account is denied search in LDAP - Patch...

diff --git a/Bugzilla/Auth/Verify/LDAP.pm b/Bugzilla/Auth/Verify/LDAP.pm
index b5904301d04692c4fd51bd79f157f02c0d237354..cdc802ca05526c85651ca234ac3c2e59d2d44c9c 100644 (file)
--- a/Bugzilla/Auth/Verify/LDAP.pm
+++ b/Bugzilla/Auth/Verify/LDAP.pm
@@ -56,7 +56,7 @@ sub check_credentials {
     # just appending the Base DN to the uid isn't sufficient to get the
     # user's DN.  For servers which don't work this way, there will still
     # be no harm done.
-    $self->_bind_ldap_anonymously();
+    $self->_bind_ldap_for_search();
 
     # Now, we verify that the user exists, and get a LDAP Distinguished
     # Name for the user.
@@ -76,12 +76,35 @@ sub check_credentials {
     return { failure => AUTH_LOGINFAILED } if $pw_result->code;
 
     # And now we fill in the user's details.
+
+    # First try the search as the (already bound) user in question.
+    my $user_entry;
+    my $error_string;
     my $detail_result = $self->ldap->search(_bz_search_params($username));
+    if ($detail_result->code) {
+        # Stash away the original error, just in case
+        $error_string = $detail_result->error;
+    } else {
+        $user_entry = $detail_result->shift_entry;
+    }
+
+    # If that failed (either because the search failed, or returned no
+    # results) then try re-binding as the initial search user, but only
+    # if the LDAPbinddn parameter is set.
+    if (!$user_entry && Bugzilla->params->{"LDAPbinddn"}) {
+        $self->_bind_ldap_for_search();
+
+        $detail_result = $self->ldap->search(_bz_search_params($username));
+        if (!$detail_result->code) {
+            $user_entry = $detail_result->shift_entry;
+        }
+    }
+
+    # If we *still* don't have anything in $user_entry then give up.
     return { failure => AUTH_ERROR, error => "ldap_search_error",
-             details => {errstr => $detail_result->error, username => $username}
-    } if $detail_result->code;
+             details => {errstr => $error_string, username => $username}
+    } if !$user_entry;
 
-    my $user_entry = $detail_result->shift_entry;
 
     my $mail_attr = Bugzilla->params->{"LDAPmailattribute"};
     if ($mail_attr) {
@@ -128,7 +151,7 @@ sub _bz_search_params {
                       . Bugzilla->params->{"LDAPfilter"} . ')');
 }
 
-sub _bind_ldap_anonymously {
+sub _bind_ldap_for_search {
     my ($self) = @_;
     my $bind_result;
     if (Bugzilla->params->{"LDAPbinddn"}) {

diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index e851a00d9c8f86e693577d11f3c36cd62230b625..2c2eb9891610b0cd03843381b3c96360b29ce307 100644 (file)
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -344,7 +344,11 @@
   [% ELSIF error == "ldap_search_error" %]
     An error occurred while trying to search LDAP for 
     "[% username FILTER html %]": 
-   <code>[% errstr FILTER html %]</code>
+    [% IF errstr %]
+      <code>[% errstr FILTER html %]</code>
+    [% ELSE %]
+      Unable to find user in LDAP
+    [% END %]
 
   [% ELSIF error == "ldap_server_not_defined" %]
     The LDAP server for authentication has not been defined.