From 724a89c3bb2808b9f435706c03040d14f9a36f4a Mon Sep 17 00:00:00 2001
From: Mark Rogaski <stigg@debian>
Date: Tue, 29 Jul 2014 20:55:17 +0000
Subject: Fixed fall-through/refusal logic. Added the reject_on_miss option to
 allow fall-through for unauthenticated users.

---
 Authenticators/LDAP/LDAPauth.ini |  3 +++
 Authenticators/LDAP/LDAPauth.py  | 22 +++++++++++++++++++---
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/Authenticators/LDAP/LDAPauth.ini b/Authenticators/LDAP/LDAPauth.ini
index 9e374e8..13d065e 100644
--- a/Authenticators/LDAP/LDAPauth.ini
+++ b/Authenticators/LDAP/LDAPauth.ini
@@ -4,6 +4,9 @@
 id_offset       = 1000000000
 ;Reject users if the authenticator experiences an internal error during authentication
 reject_on_error = True
+;Reject users that are not found when bind_dn is used with non-user credentials.
+;Setting this to False will cause a fall-through when the user is not found in LDAP.
+reject_on_miss  = True
 
 ;Ice configuration
 [ice]
diff --git a/Authenticators/LDAP/LDAPauth.py b/Authenticators/LDAP/LDAPauth.py
index dddc887..10cc57a 100644
--- a/Authenticators/LDAP/LDAPauth.py
+++ b/Authenticators/LDAP/LDAPauth.py
@@ -136,7 +136,8 @@ default = { 'ldap':(('ldap_uri', str, 'ldap://127.0.0.1'),
                     ('group_attr', str, 'member')),
 
             'user':(('id_offset', int, 1000000000),
-                    ('reject_on_error', x2bool, True)),
+                    ('reject_on_error', x2bool, True),
+                    ('reject_on_miss', x2bool, True)),
            
             'ice':(('host', str, '127.0.0.1'),
                    ('port', int, 6502),
@@ -442,6 +443,15 @@ def do_main_program():
                     bind_pass = pw
                 ldap_conn.bind_s(bind_dn, bind_pass)
                 res = ldap_conn.search_s(cfg.ldap.users_dn, ldap.SCOPE_SUBTREE, '(%s=%s)' % (cfg.ldap.username_attr, name), [cfg.ldap.number_attr, cfg.ldap.display_attr])
+                if len(res) == 0:
+                    warning("User " + name + " not found")
+                    if cfg.user.reject_on_miss:
+                        return (AUTH_REFUSED, None, None)
+                    else:
+                        return (FALL_THROUGH, None, None)
+                if not pw:
+                    warning("No password supplied for user " + name)
+                    return (AUTH_REFUSED, None, None)
                 match = res[0] #Only interested in the first result, as there should only be one match
                 
                 #Parse the user information
@@ -461,6 +471,12 @@ def do_main_program():
                         debug('User ' + name + ' failed with no group membership')
                         return (AUTH_REFUSED, None, None)
                     
+                # Second bind to test user credentials if using bind_dn.
+                if cfg.ldap.bind_dn:
+                    bind_dn = "%s=%s,%s" % (cfg.ldap.username_attr, name, cfg.ldap.users_dn)
+                    bind_pass = pw
+                    ldap_conn.bind_s(bind_dn, bind_pass)
+
                 #Unbind and close connection
                 ldap_conn.unbind()
                 
@@ -468,8 +484,8 @@ def do_main_program():
                      
             #LDAP bind failed - expected to happen if bad login
             except ldap.INVALID_CREDENTIALS: 
-                    warning("User " + name + " failed with wrong password")
-                    return (AUTH_REFUSED, None, None)
+                warning("User " + name + " failed with wrong password")
+                return (AUTH_REFUSED, None, None)
     
             #If we get here, the login is correct.
             #Add the user/id combo to cache, then accept:
-- 
cgit v1.2.3