in Auth_with_ldap.pm try binding with user password or compare

This changes the checkpw code in Auth_with_ldap.  Along with comparing
the user entered password against the directory attibute userPassword
you can try to bind with the users dn and password.

This is controlled by the option auth_by_bind, which, if set, causes
this code to try binding instead of comparing.

Signed-off-by: Galen Charlton <galen.charlton@liblime.com>
Signed-off-by: Henri-Damien LAURENT <henridamien.laurent@biblibre.com>

diff --git a/C4/Auth_with_ldap.pm b/C4/Auth_with_ldap.pm
index c061612..cd0cfa4 100644 (file)
--- a/C4/Auth_with_ldap.pm
+++ b/C4/Auth_with_ldap.pm
@@ -100,10 +100,20 @@ sub checkpw_ldap {
        }
 
        my $userldapentry = $search->shift_entry;
-       my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password );
-       if ($cmpmesg->code != 6) {
-               warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg);
-               return 0;
+       if ( $ldap->{auth_by_bind} ) {
+               my $user_ldapname = $userldapentry->dn();
+               my $user_db = Net::LDAP->new( [$prefhost] );
+               $res = $user_db->bind( $user_ldapname, password => $password );
+               if ( $res->code ) {
+                       $debug and warn "Bind as user failed ". description( $res );
+                       return 0;
+               }
+       } else {
+               my $cmpmesg = $db->compare( $userldapentry, attr=>'userpassword', value => $password );
+               if ($cmpmesg->code != 6) {
+                       warn "LDAP Auth rejected : invalid password for user '$userid'. " . description($cmpmesg);
+                       return 0;
+               }
        }
        unless ($config{update} or $config{replicate}) {
                return 1;