Make AuthProxy LDAP bind code more robust
authorDan Wells <dbw2@calvin.edu>
Thu, 27 Sep 2012 21:35:03 +0000 (17:35 -0400)
committerBill Erickson <berick@esilibrary.com>
Mon, 15 Jul 2013 16:35:33 +0000 (12:35 -0400)
The existing version of LDAP_Auth.pm assumed that the user's
bind DN could be derived from the base DN, the ID attribute, and
the user's ID.  This is frequently the case, but not always,
particularly in Active Directory setups using sAMAccountName. This
commit instead uses the initial LDAP lookup as the authority for
determining the user's DN.

Signed-off-by: Dan Wells <dbw2@calvin.edu>
Signed-off-by: Bill Erickson <berick@esilibrary.com>
Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm

index 0a4a0b0..a180e3a 100644 (file)
@@ -40,14 +40,14 @@ sub authenticate {
         $hostname_is_ldap = 1;
         if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) {
             $reached_ldap = 1;
-            # verify username
-            if ( $ldap
-                ->search( base => $basedn, filter => "($id_attr=$username)" )
-                ->count != 0 ) {
+            # verify username and lookup user's DN
+            my $ldap_search = $ldap->search( base => $basedn,
+                                             filter => "($id_attr=$username)" );
+            if ( $ldap_search->count != 0 ) {
                 $user_in_ldap = 1;
 
                 # verify password (bind check)
-                my $binddn = "$id_attr=$username,$basedn";
+                my $binddn = $ldap_search->entry(0)->dn();
                 if ( $ldap->bind( $binddn, password => $password )
                     ->code == 0 ) {
                     $login_succeeded = 1;