Added additional tests for user search results.

This fixes https://github.com/nginxinc/nginx-ldap-auth/issues/55. It was possible to perform successful bind with unknown user with recent versions of python-ldap, in case when LDAP server returned continuation object and allowed anonymous bind.
2018-10-29 11:42:22 +03:00 · 2018-10-29 11:42:22 +03:00 · 86687e2887
parent 57fb98b528
commit 86687e2887
1 changed files with 18 additions and 4 deletions
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@ -228,13 +228,27 @@ class LDAPAuthHandler(AuthHandler):
                                          searchfilter, ['objectclass'], 1)

            ctx['action'] = 'verifying search query results'
-            if len(results) < 1:
+
+            nres = len(results)
+
+            if nres < 1:
                self.auth_failed(ctx, 'no objects found')
                return

-            ctx['action'] = 'binding as an existing user'
-            ldap_dn = results[0][0]
-            ctx['action'] += ' "%s"' % ldap_dn
+            if nres > 1:
+                self.log_message("note: filter match multiple objects: %d, using first" % nres)
+
+            user_entry = results[0]
+            ldap_dn = user_entry[0]
+
+            if ldap_dn == None:
+                self.auth_failed(ctx, 'matched object has no dn')
+                return
+
+            self.log_message('attempting to bind using dn "%s"' % (ldap_dn))
+
+            ctx['action'] = 'binding as an existing user "%s"' % ldap_dn
+
            ldap_obj.bind_s(ldap_dn, ctx['pass'], ldap.AUTH_SIMPLE)

            self.log_message('Auth OK for user "%s"' % (ctx['user']))