ldap: Reuse BindService() for initial bind attempt

plaes · plaes · commit a40cae373eed · 2025-12-26T21:03:59.000+02:00
diff --git a/internal/service/auth_service.go b/internal/service/auth_service.go
@@ -101,7 +101,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b
 				return false
 			}
 
-			err = auth.ldap.BindService()
+			err = auth.ldap.BindService(true)
 			if err != nil {
 				log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
 				return false
diff --git a/internal/service/ldap_service.go b/internal/service/ldap_service.go
@@ -72,41 +72,31 @@ func (ldap *LdapService) connect() (*ldapgo.Conn, error) {
 	ldap.mutex.Lock()
 	defer ldap.mutex.Unlock()
 
+	var conn *ldapgo.Conn
+	var err error
+
 	if ldap.cert != nil {
-		conn, err := ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+		conn, err = ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
 			MinVersion:   tls.VersionTLS12,
 			Certificates: []tls.Certificate{*ldap.cert},
 		}))
-		if err != nil {
-			return nil, err
-		}
-
-		err = conn.ExternalBind()
-		if err != nil {
-			log.Error().Err(err).Msg("LDAP mTLS bind failed?")
-			return nil, err
-		}
-		// Set and return the connection
-		ldap.conn = conn
-		return conn, nil
 	} else {
-		conn, err := ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
+		conn, err = ldapgo.DialURL(ldap.Config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
 			InsecureSkipVerify: ldap.Config.Insecure,
 			MinVersion:         tls.VersionTLS12,
 		}))
-		if err != nil {
-			return nil, err
-		}
-
-		err = conn.Bind(ldap.Config.BindDN, ldap.Config.BindPassword)
-		if err != nil {
-			return nil, err
-		}
-		// Set and return the connection
-		ldap.conn = conn
-		return conn, nil
 	}
+	if err != nil {
+		return nil, err
+	}
+
+	ldap.conn = conn
 
+	err = ldap.BindService(false)
+	if err != nil {
+		return nil, err
+	}
+	return ldap.conn, nil
 }
 
 func (ldap *LdapService) Search(username string) (string, error) {
@@ -138,17 +128,17 @@ func (ldap *LdapService) Search(username string) (string, error) {
 	return userDN, nil
 }
 
-func (ldap *LdapService) BindService() error {
-	ldap.mutex.Lock()
-	defer ldap.mutex.Unlock()
+func (ldap *LdapService) BindService(rebind bool) error {
+	// Locks must not be used for initial binding attempt
+	if rebind {
+		ldap.mutex.Lock()
+		defer ldap.mutex.Unlock()
+	}
 
-	var err error
 	if ldap.cert != nil {
-		err = ldap.conn.ExternalBind()
-	} else {
-		err = ldap.conn.Bind(ldap.Config.BindDN, ldap.Config.BindPassword)
+		return ldap.conn.ExternalBind()
 	}
-	return err
+	return ldap.conn.Bind(ldap.Config.BindDN, ldap.Config.BindPassword)
 }
 
 func (ldap *LdapService) Bind(userDN string, password string) error {

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ func (auth *AuthService) VerifyUser(search config.UserSearch, password string) b`
`101`	`101`	`return false`
`102`	`102`	`}`
`103`	`103`
`104`		`- err = auth.ldap.BindService()`
	`104`	`+ err = auth.ldap.BindService(true)`
`105`	`105`	`if err != nil {`
`106`	`106`	`log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")`
`107`	`107`	`return false`