From 36ea3a290b5ac52e758feda91212c2cb68d4e9b2 Mon Sep 17 00:00:00 2001 From: Dan Wells Date: Thu, 27 Sep 2012 17:35:03 -0400 Subject: [PATCH] Make AuthProxy LDAP bind code more robust The existing version of LDAP_Auth.pm assumed that the user's bind DN could be derived from the base DN, the ID attribute, and the user's ID. This is frequently the case, but not always, particularly in Active Directory setups using sAMAccountName. This commit instead uses the initial LDAP lookup as the authority for determining the user's DN. Signed-off-by: Dan Wells Signed-off-by: Bill Erickson --- .../perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm index 0a4a0b0a3a..a180e3a477 100644 --- a/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm +++ b/Open-ILS/src/perlmods/lib/OpenILS/Application/AuthProxy/LDAP_Auth.pm @@ -40,14 +40,14 @@ sub authenticate { $hostname_is_ldap = 1; if ( $ldap->bind( $authid, password => $authid_pass )->code == 0 ) { $reached_ldap = 1; - # verify username - if ( $ldap - ->search( base => $basedn, filter => "($id_attr=$username)" ) - ->count != 0 ) { + # verify username and lookup user's DN + my $ldap_search = $ldap->search( base => $basedn, + filter => "($id_attr=$username)" ); + if ( $ldap_search->count != 0 ) { $user_in_ldap = 1; # verify password (bind check) - my $binddn = "$id_attr=$username,$basedn"; + my $binddn = $ldap_search->entry(0)->dn(); if ( $ldap->bind( $binddn, password => $password ) ->code == 0 ) { $login_succeeded = 1; -- 2.11.0