aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGwilherm Folliot <37798980+3l0w@users.noreply.github.com>2022-05-03 14:41:11 +0200
committerGitHub <noreply@github.com>2022-05-03 20:41:11 +0800
commitb7abb31b7baeb2ee60d28b90354af3bef7f7a74a (patch)
treeaf81e894dd9d08eef3e42d29b26df1709202813e
parent772ad761eb4fa88e9912f6bf0eaed65ad3830292 (diff)
downloadgitea-b7abb31b7baeb2ee60d28b90354af3bef7f7a74a.tar.gz
gitea-b7abb31b7baeb2ee60d28b90354af3bef7f7a74a.zip
Move user password verification after checking his groups on ldap auth (#19587)
In case the binded user can not access its own attributes. Signed-off-by: Gwilherm Folliot <gwilherm55fo@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
-rw-r--r--services/auth/source/ldap/source_search.go16
1 files changed, 8 insertions, 8 deletions
diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
index f2b940cabe..d01fd14c8b 100644
--- a/services/auth/source/ldap/source_search.go
+++ b/services/auth/source/ldap/source_search.go
@@ -433,14 +433,6 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
isRestricted = checkRestricted(l, ls, userDN)
}
- if !directBind && ls.AttributesInBind {
- // binds user (checking password) after looking-up attributes in BindDN context
- err = bindUser(l, userDN, passwd)
- if err != nil {
- return nil
- }
- }
-
if isAtributeAvatarSet {
Avatar = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatar)
}
@@ -451,6 +443,14 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
teamsToAdd, teamsToRemove = ls.getMappedMemberships(l, uid)
}
+ if !directBind && ls.AttributesInBind {
+ // binds user (checking password) after looking-up attributes in BindDN context
+ err = bindUser(l, userDN, passwd)
+ if err != nil {
+ return nil
+ }
+ }
+
return &SearchResult{
LowerName: strings.ToLower(username),
Username: username,