From 1532f045e2d2b4e7ac1da880fc75b3bcb4282df7 Mon Sep 17 00:00:00 2001 From: Dan Wells Date: Thu, 27 Sep 2012 17:35:03 -0400 Subject: [PATCH] Make AuthProxy LDAP bind code more robust The existing version of LDAP_Auth.pm assumed that the user's bind DN could be derived from the base DN, the ID attribute, and the user's ID. This is frequently the case, but not always, particularly in Active Directory setups using sAMAccountName. This commit instead uses the initial LDAP lookup as the authority for determining the user's DN. Signed-off-by: Dan Wells Signed-off-by: Bill Erickson --- .../perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm index 0a4a0b0a3a..a180e3a477 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm @@ -40,14 +40,14 @@ sub authenticate { $hostname_is_ldap = 1; if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) { $reached_ldap = 1; - # verify username - if ( $ldap - ->search( base => $basedn, filter => "($id_attr=$username)" ) - ->count != 0 ) { + # verify username and lookup user's DN + my $ldap_search = $ldap->search( base => $basedn, + filter => "($id_attr=$username)" ); + if ( $ldap_search->count != 0 ) { $user_in_ldap = 1; # verify password (bind check) - my $binddn = "$id_attr=$username,$basedn"; + my $binddn = $ldap_search->entry(0)->dn(); if ( $ldap->bind( $binddn, password => $password ) ->code == 0 ) { $login_succeeded = 1; -- 2.11.0