id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
15385	Bug in django-auth-ldap bindings and groups on restricted LDAP configuration	hile	nobody	"There is a bug in django-auth-ldap with LDAP groups access, if the LDAP server restricts access to data for normal user accounts.

How this bug can be triggered:
- The LDAP server is configured to bind with BINDDN as specific user
- LDAP users can authenticate but their credentials are configured not to allow browsing LDAP data freely, including reading of LDAP group data with user credentials
- Any of the groups restrictions are enabled in django LDAP settings

How the problem can be seen:
- Any user authentication with LDAP permissions fail
- The log shows 'user is not member of LDAP group', even when they are

Reason for the bug:
- Django LDAP authentication correctly binds with BINDDN to LDAP database in the beginning
- However, to check user LDAP password, call self._authenticate_user_dn(password) replaces this binding with user credentials
- The Django LDAP module does not replace the binding with (possibly restricted) user credentials with the BINDDN credentials after successful authentication with user credentials
- The groups are checked and used after user has logged in, and the above error causes the groups to be inaccessible from LDAP in such configuration, and the authentication fails

Fixing the bug:
- My suggestion would be to add self._bind() to end of _authenticate_user_dn() in backend.py: this will restore the BINDDN binding permissions, and if user password was incorrect, we already raised self.AuthenticationFailed() before this call, so it would not change authentication testing

Note, this bug does not happen in most common LDAP setups, because it's quite common to allow any user authenticated to LDAP to read all data in LDAP. It only happens, if the normal user does not have such permissions.

"		closed	contrib.auth	1.2		invalid	LDAP BIND ERROR		Unreviewed	0	0	0	0	0	0