Move user password verification after checking his groups on ldap auth (

go-gitea#19587) In case the binded user can not access its own attributes. Signed-off-by: Gwilherm Folliot <gwilherm55fo@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
kitspace · Aug 23, 2022 · baf6cc4 · baf6cc4
1 parent 4591a22
commit baf6cc4
Showing 1 changed file with 8 additions and 8 deletions.
diff --git a/services/auth/source/ldap/source_search.go b/services/auth/source/ldap/source_search.go
@@ -433,14 +433,6 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		isRestricted = checkRestricted(l, ls, userDN)
 	}
 
-	if !directBind && ls.AttributesInBind {
-		// binds user (checking password) after looking-up attributes in BindDN context
-		err = bindUser(l, userDN, passwd)
-		if err != nil {
-			return nil
-		}
-	}
-
 	if isAtributeAvatarSet {
 		Avatar = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatar)
 	}
@@ -451,6 +443,14 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		teamsToAdd, teamsToRemove = ls.getMappedMemberships(l, uid)
 	}
 
+	if !directBind && ls.AttributesInBind {
+		// binds user (checking password) after looking-up attributes in BindDN context
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return nil
+		}
+	}
+
 	return &SearchResult{
 		LowerName:      strings.ToLower(username),
 		Username:       username,