From 86687e2887e19f132294518027fd85605dacdee4 Mon Sep 17 00:00:00 2001
From: Vladimir Homutov <vl.homutov@gmail.com>
Date: Mon, 29 Oct 2018 11:42:22 +0300
Subject: [PATCH] Added additional tests for user search results.

This fixes https://github.com/nginxinc/nginx-ldap-auth/issues/55.

It was possible to perform successful bind with unknown user with recent
versions of python-ldap, in case when LDAP server returned continuation
object and allowed anonymous bind.
---
 nginx-ldap-auth-daemon.py | 22 ++++++++++++++++++----
 1 file changed, 18 insertions(+), 4 deletions(-)

diff --git a/nginx-ldap-auth-daemon.py b/nginx-ldap-auth-daemon.py
index 46daf3b..bdfafff 100755
--- a/nginx-ldap-auth-daemon.py
+++ b/nginx-ldap-auth-daemon.py
@@ -228,13 +228,27 @@ class LDAPAuthHandler(AuthHandler):
                                           searchfilter, ['objectclass'], 1)
 
             ctx['action'] = 'verifying search query results'
-            if len(results) < 1:
+
+            nres = len(results)
+
+            if nres < 1:
                 self.auth_failed(ctx, 'no objects found')
                 return
 
-            ctx['action'] = 'binding as an existing user'
-            ldap_dn = results[0][0]
-            ctx['action'] += ' "%s"' % ldap_dn
+            if nres > 1:
+                self.log_message("note: filter match multiple objects: %d, using first" % nres)
+
+            user_entry = results[0]
+            ldap_dn = user_entry[0]
+
+            if ldap_dn == None:
+                self.auth_failed(ctx, 'matched object has no dn')
+                return
+
+            self.log_message('attempting to bind using dn "%s"' % (ldap_dn))
+
+            ctx['action'] = 'binding as an existing user "%s"' % ldap_dn
+
             ldap_obj.bind_s(ldap_dn, ctx['pass'], ldap.AUTH_SIMPLE)
 
             self.log_message('Auth OK for user "%s"' % (ctx['user']))