Merge pull request #50767 from dwoz/ldap_no_pass

Make sure ldap passwords are honored
2024-11-07 00:55:19 +00:00 · 2018-12-05 15:59:16 -07:00 · 2018-12-05 15:59:16 -07:00 · dc9414cd0e
commit dc9414cd0e
parent 60aa0d5672 67aa591d1e
2 changed files with 25 additions and 2 deletions
--- a/salt/auth/ldap.py
+++ b/salt/auth/ldap.py
@ -283,12 +283,14 @@ def auth(username, password):
        log.error('LDAP authentication requires python-ldap module')
        return False

+    bind = None
+
    # If bind credentials are configured, verify that we receive a valid bind
    if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
-        bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+        search_bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))

        # If username & password are not None, attempt to verify they are valid
-        if bind and username and password:
+        if search_bind and username and password:
            bind = _bind(username, password,
                         anonymous=_config('auth_by_group_membership_only', mandatory=False)
                         and _config('anonymous', mandatory=False))
--- a/tests/unit/auth/test_ldap.py
+++ b/tests/unit/auth/test_ldap.py
@ -86,3 +86,24 @@ class LDAPAuthTestCase(TestCase):
        with patch.dict(salt.auth.ldap.__opts__, self.opts):
            with patch('salt.auth.ldap.auth', return_value=Bind):
                self.assertIn('saltusers', salt.auth.ldap.groups('saltuser', password='password'))
+
+    def test_auth_nopass(self):
+        opts = self.opts.copy()
+        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
+        with patch.dict(salt.auth.ldap.__opts__, opts):
+            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
+                self.assertFalse(salt.auth.ldap.auth('foo', None))
+
+    def test_auth_nouser(self):
+        opts = self.opts.copy()
+        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
+        with patch.dict(salt.auth.ldap.__opts__, opts):
+            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
+                self.assertFalse(salt.auth.ldap.auth(None, 'foo'))
+
+    def test_auth_nouserandpass(self):
+        opts = self.opts.copy()
+        opts['auth.ldap.bindpw'] = 'p@ssw0rd!'
+        with patch.dict(salt.auth.ldap.__opts__, opts):
+            with patch('salt.auth.ldap._bind_for_search', return_value=Bind):
+                self.assertFalse(salt.auth.ldap.auth(None, None))