- # FIXME dpavlin -- we really need $userldapentry leater on even if using auth_by_bind!
-
- # BUG #5094
- # 2010-08-04 JeremyC
- # a $userldapentry is only needed if either updating or replicating are enabled
- if($config{update} or $config{replicate}) {
- my $search = search_method($db, $userid) or return 0; # warnings are in the sub
- $userldapentry = $search->shift_entry;
- }
-
- } else {
+ # Perform a LDAP bind for the given username using the matched DN
+ my $res = $db->bind( $principal_name, password => $password );
+ if ( $res->code ) {
+ if ( $ldap->{anonymous_bind} ) {
+ # With anonymous_bind approach we can be sure we have found the correct user
+ # and that any 'code' response indicates a 'bad' user (be that blocked, banned
+ # or password changed). We should not fall back to local accounts in this case.
+ warn "LDAP bind failed as kohauser $userid: " . description($res);
+ return -1;
+ } else {
+ # Without a anonymous_bind, we cannot be sure we are looking at a valid ldap user
+ # at all, and thus we should fall back to local logins to restore previous behaviour
+ # see bug 12831
+ warn "LDAP bind failed as kohauser $userid: " . description($res);
+ return 0;
+ }
+ }
+ if ( !defined($userldapentry)
+ && ( $config{update} or $config{replicate} ) )
+ {
+ my $search = search_method( $db, $userid ) or return 0;
+ $userldapentry = $search->shift_entry;
+ }
+ } else {