Merge pull request #1285 from srenatus/sr/ldap/treat-bind-constraint-violation-as-bad-login

connectors/ldap: treat 'constraint violation' on bind as bad credentials
This commit is contained in:
Stephan Renatus 2018-09-05 10:18:51 +02:00 committed by GitHub
commit 974617a426
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -409,12 +409,17 @@ func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username,
if err := conn.Bind(user.DN, password); err != nil {
// Detect a bad password through the LDAP error code.
if ldapErr, ok := err.(*ldap.Error); ok {
if ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
switch ldapErr.ResultCode {
case ldap.LDAPResultInvalidCredentials:
c.logger.Errorf("ldap: invalid password for user %q", user.DN)
incorrectPass = true
return nil
case ldap.LDAPResultConstraintViolation:
c.logger.Errorf("ldap: constraint violation for user %q: %s", user.DN, ldapErr.Error())
incorrectPass = true
return nil
}
}
} // will also catch all ldap.Error without a case statement above
return fmt.Errorf("ldap: failed to bind as dn %q: %v", user.DN, err)
}
return nil