From: Dan Wells Date: Thu, 27 Sep 2012 21:35:03 +0000 (-0400) Subject: Make AuthProxy LDAP bind code more robust X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=1532f045e2d2b4e7ac1da880fc75b3bcb4282df7;p=evergreen%2Fpines.git Make AuthProxy LDAP bind code more robust The existing version of LDAP_Auth.pm assumed that the user's bind DN could be derived from the base DN, the ID attribute, and the user's ID. This is frequently the case, but not always, particularly in Active Directory setups using sAMAccountName. This commit instead uses the initial LDAP lookup as the authority for determining the user's DN. Signed-off-by: Dan Wells Signed-off-by: Bill Erickson --- diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm index 0a4a0b0a3a..a180e3a477 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm @@ -40,14 +40,14 @@ sub authenticate { $hostname_is_ldap = 1; if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) { $reached_ldap = 1; - # verify username - if ( $ldap - ->search( base => $basedn, filter => "($id_attr=$username)" ) - ->count != 0 ) { + # verify username and lookup user's DN + my $ldap_search = $ldap->search( base => $basedn, + filter => "($id_attr=$username)" ); + if ( $ldap_search->count != 0 ) { $user_in_ldap = 1; # verify password (bind check) - my $binddn = "$id_attr=$username,$basedn"; + my $binddn = $ldap_search->entry(0)->dn(); if ( $ldap->bind( $binddn, password => $password ) ->code == 0 ) { $login_succeeded = 1;