From b7abb31b7baeb2ee60d28b90354af3bef7f7a74a Mon Sep 17 00:00:00 2001 From: Gwilherm Folliot <37798980+3l0w@users.noreply.github.com> Date: Tue, 3 May 2022 14:41:11 +0200 Subject: [PATCH] Move user password verification after checking his groups on ldap auth (#19587) In case the binded user can not access its own attributes. Signed-off-by: Gwilherm Folliot Co-authored-by: wxiaoguang --- services/auth/source/ldap/source_search.go | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go index f2b940cab..d01fd14c8 100644 --- a/services/auth/source/ldap/source_search.go +++ b/services/auth/source/ldap/source_search.go @@ -433,14 +433,6 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul isRestricted = checkRestricted(l, ls, userDN) } - if !directBind && ls.AttributesInBind { - // binds user (checking password) after looking-up attributes in BindDN context - err = bindUser(l, userDN, passwd) - if err != nil { - return nil - } - } - if isAtributeAvatarSet { Avatar = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatar) } @@ -451,6 +443,14 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul teamsToAdd, teamsToRemove = ls.getMappedMemberships(l, uid) } + if !directBind && ls.AttributesInBind { + // binds user (checking password) after looking-up attributes in BindDN context + err = bindUser(l, userDN, passwd) + if err != nil { + return nil + } + } + return &SearchResult{ LowerName: strings.ToLower(username), Username: username,