From 34d0347fdeb53f7fad42760cd0f8feb719218523 Mon Sep 17 00:00:00 2001 From: Dan Wells Date: Thu, 27 Sep 2012 17:35:03 -0400 Subject: [PATCH] Make AuthProxy LDAP bind code more robust The existing version of LDAP_Auth.pm assumed that the user's bind DN could be derived from the base DN, the ID attribute, and the user's ID. This is frequently the case, but not always, particularly in Active Directory setups using sAMAccountName. This commit instead uses the initial LDAP lookup as the authority for determining the user's DN. Signed-off-by: Dan Wells Signed-off-by: Bill Erickson --- .../perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm index 0a4a0b0a3a..a180e3a477 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm @@ -40,14 +40,14 @@ sub authenticate { $hostname_is_ldap = 1; if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) { $reached_ldap = 1; - # verify username - if ( $ldap - ->search( base => $basedn, filter => "($id_attr=$username)" ) - ->count != 0 ) { + # verify username and lookup user's DN + my $ldap_search = $ldap->search( base => $basedn, + filter => "($id_attr=$username)" ); + if ( $ldap_search->count != 0 ) { $user_in_ldap = 1; # verify password (bind check) - my $binddn = "$id_attr=$username,$basedn"; + my $binddn = $ldap_search->entry(0)->dn(); if ( $ldap->bind( $binddn, password => $password ) ->code == 0 ) { $login_succeeded = 1; -- 2.11.0