diff --git a/modules/auth/ldap/ldap.go b/modules/auth/ldap/ldap.go
index 8a5a6cf4d..f4c55d0bd 100644
--- a/modules/auth/ldap/ldap.go
+++ b/modules/auth/ldap/ldap.go
@@ -83,16 +83,6 @@ func (ls *Source) sanitizedUserDN(username string) (string, bool) {
func (ls *Source) findUserDN(l *ldap.Conn, name string) (string, bool) {
log.Trace("Search for LDAP user: %s", name)
- if ls.BindDN != "" && ls.BindPassword != "" {
- err := l.Bind(ls.BindDN, ls.BindPassword)
- if err != nil {
- log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
- return "", false
- }
- log.Trace("Bound as BindDN %s", ls.BindDN)
- } else {
- log.Trace("Proceeding with anonymous LDAP search.")
- }
// A search for the user.
userFilter, ok := ls.sanitizedUserQuery(name)
@@ -203,20 +193,48 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
var ok bool
userDN, ok = ls.sanitizedUserDN(name)
+
if !ok {
return nil
}
+
+ err = bindUser(l, userDN, passwd)
+ if err != nil {
+ return nil
+ }
+
+ if ls.UserBase != "" {
+ // not everyone has a CN compatible with input name so we need to find
+ // the real userDN in that case
+
+ userDN, ok = ls.findUserDN(l, name)
+ if !ok {
+ return nil
+ }
+ }
} else {
log.Trace("LDAP will use BindDN.")
var found bool
+
+ if ls.BindDN != "" && ls.BindPassword != "" {
+ err := l.Bind(ls.BindDN, ls.BindPassword)
+ if err != nil {
+ log.Debug("Failed to bind as BindDN[%s]: %v", ls.BindDN, err)
+ return nil
+ }
+ log.Trace("Bound as BindDN %s", ls.BindDN)
+ } else {
+ log.Trace("Proceeding with anonymous LDAP search.")
+ }
+
userDN, found = ls.findUserDN(l, name)
if !found {
return nil
}
}
- if directBind || !ls.AttributesInBind {
+ if !ls.AttributesInBind {
// binds user (checking password) before looking-up attributes in user context
err = bindUser(l, userDN, passwd)
if err != nil {
diff --git a/public/js/index.js b/public/js/index.js
index 3d078a984..918918ef4 100644
--- a/public/js/index.js
+++ b/public/js/index.js
@@ -1415,13 +1415,15 @@ function initAdmin() {
$('#auth_type').change(function () {
$('.ldap, .dldap, .smtp, .pam, .oauth2, .has-tls .search-page-size').hide();
- $('.ldap input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
+ $('.ldap input[required], .binddnrequired input[required], .dldap input[required], .smtp input[required], .pam input[required], .oauth2 input[required], .has-tls input[required]').removeAttr('required');
+ $('.binddnrequired').removeClass("required");
var authType = $(this).val();
switch (authType) {
case '2': // LDAP
$('.ldap').show();
- $('.ldap div.required:not(.dldap) input').attr('required', 'required');
+ $('.binddnrequired input, .ldap div.required:not(.dldap) input').attr('required', 'required');
+ $('.binddnrequired').addClass("required");
break;
case '3': // SMTP
$('.smtp').show();
diff --git a/templates/admin/auth/edit.tmpl b/templates/admin/auth/edit.tmpl
index 5c492ff52..8807657c3 100644
--- a/templates/admin/auth/edit.tmpl
+++ b/templates/admin/auth/edit.tmpl
@@ -55,11 +55,11 @@
{{.i18n.Tr "admin.auths.bind_password_helper"}}
-
+ {{end}}
+
-
- {{end}}
+