From b48e4e864551a0042e7bfa02ec469c1798bf113e Mon Sep 17 00:00:00 2001
From: Robert Rettig <robert.rettig@ndgit.com>
Date: Thu, 8 Sep 2022 18:14:19 +0200
Subject: [PATCH] fixes #1026

---
 api/login.go | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/api/login.go b/api/login.go
index 79d0f5a0..017711ef 100644
--- a/api/login.go
+++ b/api/login.go
@@ -64,13 +64,27 @@ func tryFindLDAPUser(username, password string) (*db.User, error) {
 		return nil, fmt.Errorf("too many entries returned")
 	}
 
-	// Bind as the user to verify their password
+	// Bind as the user
 	userdn := sr.Entries[0].DN
 	if err = l.Bind(userdn, password); err != nil {
 		return nil, err
 	}
 
-	// Get user info and ensure authentication in case LDAP supports unauthenticated bind
+	// Ensure authentication and verify itself with whoami operation
+	var res *ldap.WhoAmIResult
+	if res, err = l.WhoAmI(nil); err != nil {
+		return nil, err
+	}
+	if len(res.AuthzID) <= 0 {
+		return nil, fmt.Errorf("error while doing whoami operation")
+	}
+
+	// Second time bind as read only user
+	if err = l.Bind(util.Config.LdapBindDN, util.Config.LdapBindPassword); err != nil {
+		return nil, err
+	}
+
+	// Get user info
 	searchRequest = ldap.NewSearchRequest(
 		util.Config.LdapSearchDN,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
@@ -84,6 +98,10 @@ func tryFindLDAPUser(username, password string) (*db.User, error) {
 		return nil, err
 	}
 
+	if len(sr.Entries) <= 0 {
+		return nil, fmt.Errorf("ldap search returned no entries")
+	}
+
 	ldapUser := db.User{
 		Username: strings.ToLower(sr.Entries[0].GetAttributeValue(util.Config.LdapMappings.UID)),
 		Created:  time.Now(),
@@ -128,7 +146,7 @@ func createSession(w http.ResponseWriter, r *http.Request, user db.User) {
 	})
 }
 
-//nolint: gocyclo
+// nolint: gocyclo
 func login(w http.ResponseWriter, r *http.Request) {
 	var login struct {
 		Auth     string `json:"auth" binding:"required"`