From 2058c362a8325790ed1f83163b233ce342d3789b Mon Sep 17 00:00:00 2001
From: Tony Homrich <tenacubus@gmail.com>
Date: Thu, 27 Dec 2018 11:51:19 -0500
Subject: [PATCH] LDAP via simple auth separate bind user and search base
 (#5055)

---
 modules/auth/ldap/ldap.go             | 40 +++++++++++++++++++--------
 public/js/index.js                    |  6 ++--
 templates/admin/auth/edit.tmpl        |  6 ++--
 templates/admin/auth/source/ldap.tmpl |  2 +-
 4 files changed, 37 insertions(+), 17 deletions(-)

diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index 8a5a6cf4d0..f4c55d0bd6 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -83,16 +83,6 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
 
 func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
 	log.Trace("Search for LDAP user: %s", name)
-	if ls.BindDN != "" && ls.BindPassword != "" {
-		err := l.Bind(ls.BindDN, ls.BindPassword)
-		if err != nil {
-			log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
-			return "", false
-		}
-		log.Trace("Bound as BindDN %s", ls.BindDN)
-	} else {
-		log.Trace("Proceeding with anonymous LDAP search.")
-	}
 
 	// A search for the user.
 	userFilter, ok := ls.sanitizedUserQuery(name)
@@ -203,20 +193,48 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 
 		var ok bool
 		userDN, ok = ls.sanitizedUserDN(name)
+
 		if !ok {
 			return nil
 		}
+
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return nil
+		}
+
+		if ls.UserBase != "" {
+			// not everyone has a CN compatible with input name so we need to find
+			// the real userDN in that case
+
+			userDN, ok = ls.findUserDN(l, name)
+			if !ok {
+				return nil
+			}
+		}
 	} else {
 		log.Trace("LDAP will use BindDN.")
 
 		var found bool
+
+		if ls.BindDN != "" && ls.BindPassword != "" {
+			err := l.Bind(ls.BindDN, ls.BindPassword)
+			if err != nil {
+				log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
+				return nil
+			}
+			log.Trace("Bound as BindDN %s", ls.BindDN)
+		} else {
+			log.Trace("Proceeding with anonymous LDAP search.")
+		}
+
 		userDN, found = ls.findUserDN(l, name)
 		if !found {
 			return nil
 		}
 	}
 
-	if directBind || !ls.AttributesInBind {
+	if !ls.AttributesInBind {
 		// binds user (checking password) before looking-up attributes in user context
 		err = bindUser(l, userDN, passwd)
 		if err != nil {
diff --git a/public/js/index.js b/public/js/index.js
index 3d078a9848..918918ef46 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -1415,13 +1415,15 @@ function initAdmin() {
         $('#auth_type').change(function () {
             $('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls .search-page-size').hide();
 
-            $('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
+            $('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
+            $('.binddnrequired').removeClass("required");
 
             var authType = $(this).val();
             switch (authType) {
                 case '2':     // LDAP
                     $('.ldap').show();
-                    $('.ldap div.required:not(.dldap) input').attr('required', 'required');
+                    $('.binddnrequired input, .ldap div.required:not(.dldap) input').attr('required', 'required');
+                    $('.binddnrequired').addClass("required");
                     break;
                 case '3':     // SMTP
                     $('.smtp').show();
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 5c492ff521..8807657c33 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -55,11 +55,11 @@
 							<input id="bind_password" name="bind_password" type="password" value="{{$cfg.BindPassword}}">
 							<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
 						</div>
-						<div class="required field">
+					{{end}}
+					<div class="{{if .Source.IsLDAP}}required{{end}} field">
 							<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
 							<input id="user_base" name="user_base" value="{{$cfg.UserBase}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com" required>
-						</div>
-					{{end}}
+					</div>
 					{{if .Source.IsDLDAP}}
 						<div class="required field">
 							<label for="user_dn">{{.i18n.Tr "admin.auths.user_dn"}}</label>
diff --git a/templates/admin/auth/source/ldap.tmpl b/templates/admin/auth/source/ldap.tmpl
index 0c39d057a4..3386884ff1 100644
--- a/templates/admin/auth/source/ldap.tmpl
+++ b/templates/admin/auth/source/ldap.tmpl
@@ -30,7 +30,7 @@
 		<input id="bind_password" name="bind_password" type="password" value="{{.bind_password}}">
 		<p class="help text red">{{.i18n.Tr "admin.auths.bind_password_helper"}}</p>
 	</div>
-	<div class="ldap required field {{if not (eq .type 2)}}hide{{end}}">
+	<div class="binddnrequired {{if (eq .type 2)}}required{{end}} field">
 		<label for="user_base">{{.i18n.Tr "admin.auths.user_base"}}</label>
 		<input id="user_base" name="user_base" value="{{.user_base}}" placeholder="e.g. ou=Users,dc=mydomain,dc=com">
 	</div>