Merge pull request #1285 from srenatus/sr/ldap/treat-bind-constraint-…

…violation-as-bad-login connectors/ldap: treat 'constraint violation' on bind as bad credentials
dexidp · Sep 5, 2018 · 974617a · 974617a
2 parents 3bbc2c0 + 6a2d4ab
commit 974617a
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/connector/ldap/ldap.go b/connector/ldap/ldap.go
@@ -409,12 +409,17 @@ func (c *ldapConnector) Login(ctx context.Context, s connector.Scopes, username,
 		if err := conn.Bind(user.DN, password); err != nil {
 			// Detect a bad password through the LDAP error code.
 			if ldapErr, ok := err.(*ldap.Error); ok {
-				if ldapErr.ResultCode == ldap.LDAPResultInvalidCredentials {
+				switch ldapErr.ResultCode {
+				case ldap.LDAPResultInvalidCredentials:
 					c.logger.Errorf("ldap: invalid password for user %q", user.DN)
 					incorrectPass = true
 					return nil
+				case ldap.LDAPResultConstraintViolation:
+					c.logger.Errorf("ldap: constraint violation for user %q: %s", user.DN, ldapErr.Error())
+					incorrectPass = true
+					return nil
 				}
-			}
+			} // will also catch all ldap.Error without a case statement above
 			return fmt.Errorf("ldap: failed to bind as dn %q: %v", user.DN, err)
 		}
 		return nil