*: don't error out if a username doesn't exist in the backing connector

Instead of throwing a 500 error if a user enters an invalid name, display the same text box as if the user had entered the wrong password. NOTE: An invalid username now returns much quicker than an invalid password. Consider adding an arbitrary sleep in the future if we care about masking which was invalid.
2016-11-01 14:03:22 -07:00
parent 2a9051c864
commit 57a59d4631
3 changed files with 13 additions and 7 deletions
--- a/connector/ldap/ldap.go
+++ b/connector/ldap/ldap.go
@@ -310,7 +310,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi

 		switch n := len(resp.Entries); n {
 		case 0:
-			return fmt.Errorf("ldap: no results returned for filter: %q", filter)
+			log.Printf("ldap: no results returned for filter: %q", filter)
+			incorrectPass = true
+			return nil
 		case 1:
 		default:
 			return fmt.Errorf("ldap: filter returned multiple (%d) results: %q", n, filter)
@@ -335,6 +337,9 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
 	if err != nil {
 		return connector.Identity{}, false, err
 	}
+	if incorrectPass {
+		return connector.Identity{}, false, nil
+	}

 	// Encode entry for follow up requests such as the groups query and
 	// refresh attempts.
@@ -364,7 +369,7 @@ func (c *ldapConnector) Login(username, password string) (ident connector.Identi
 		return connector.Identity{}, false, err
 	}

-	return ident, !incorrectPass, nil
+	return ident, true, nil
 }

 func (c *ldapConnector) Groups(ident connector.Identity) ([]string, error) {