Merge pull request #30 from butonic/fix-bind-when-not-found

return invalid credentials when user was not found
owncloud · Jul 30, 2020 · 8216a5d · 8216a5d
2 parents c01ce16 + 1a965cf
commit 8216a5d
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/changelog/unreleased/fix-bind-when-not-found.md b/changelog/unreleased/fix-bind-when-not-found.md
@@ -0,0 +1,5 @@
+Bugfix: return invalid credentials when user was not found
+
+We were relying on an error code of the ListAccounts call when the username and password was wrong. But the list will be empty if no user with the given login was found. So we also need to check if the list of accounts is empty.
+
+https://github.com/owncloud/ocis-glauth/pull/30
diff --git a/pkg/server/glauth/handler.go b/pkg/server/glauth/handler.go
@@ -64,14 +64,14 @@ func (h ocisHandler) Bind(bindDN, bindSimplePw string, conn net.Conn) (ldap.LDAP
 	userName := strings.TrimPrefix(parts[0], "cn=")
 
 	// check password
-	_, err := h.as.ListAccounts(context.TODO(), &accounts.ListAccountsRequest{
+	res, err := h.as.ListAccounts(context.TODO(), &accounts.ListAccountsRequest{
 		//Query: fmt.Sprintf("username eq '%s'", username),
 		// TODO this allows lookung up users when you know the username using basic auth
 		// adding the password to the query is an option but sending the sover the wira a la scim seems ugly
 		// but to set passwords our accounts need it anyway
 		Query: fmt.Sprintf("login eq '%s' and password eq '%s'", userName, bindSimplePw),
 	})
-	if err != nil {
+	if err != nil || len(res.Accounts) == 0 {
 		h.log.Error().
 			Str("username", userName).
 			Str("binddn", bindDN).