Merge pull request #1285 from srenatus/sr/ldap/treat-bind-constraint-violation-as-bad-login

connectors/ldap: treat 'constraint violation' on bind as bad credentials
This commit is contained in:
Stephan Renatus 2018-09-05 10:18:51 +02:00 committed by GitHub
commit 974617a426
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -409,12 +409,17 @@ func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username,
if err := conn.Bind(user.DN, password); err != nil { if err := conn.Bind(user.DN, password); err != nil {
// Detect a bad password through the LDAP error code. // Detect a bad password through the LDAP error code.
if ldapErr, ok := err.(*ldap.Error); ok { if ldapErr, ok := err.(*ldap.Error); ok {
if ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials { switch ldapErr.ResultCode {
case ldap.LDAPResultInvalidCredentials:
c.logger.Errorf("ldap: invalid password for user %q", user.DN) c.logger.Errorf("ldap: invalid password for user %q", user.DN)
incorrectPass = true incorrectPass = true
return nil return nil
case ldap.LDAPResultConstraintViolation:
c.logger.Errorf("ldap: constraint violation for user %q: %s", user.DN, ldapErr.Error())
incorrectPass = true
return nil
} }
} } // will also catch all ldap.Error without a case statement above
return fmt.Errorf("ldap: failed to bind as dn %q: %v", user.DN, err) return fmt.Errorf("ldap: failed to bind as dn %q: %v", user.DN, err)
} }
return nil return nil