From 340394388049bf572c5ff12ce37dfc87e7e77298 Mon Sep 17 00:00:00 2001 From: yefim Date: Tue, 2 Dec 2025 18:34:18 +0200 Subject: [PATCH] Fix LDAP unauthorized --- src/service/uiaa/mod.rs | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/src/service/uiaa/mod.rs b/src/service/uiaa/mod.rs index f353d779..4cd14426 100644 --- a/src/service/uiaa/mod.rs +++ b/src/service/uiaa/mod.rs @@ -137,18 +137,39 @@ pub async fn try_auth( // Check if password is correct let user_id = user_id_from_username; - if let Ok(hash) = self.services.users.password_hash(&user_id).await { - let hash_matches = hash::verify_password(password, &hash).is_ok(); - if !hash_matches { - uiaainfo.auth_error = Some(StandardErrorBody { - kind: ErrorKind::forbidden(), - message: "Invalid username or password.".to_owned(), - }); + let mut password_verified = false; - return Ok((false, uiaainfo)); + // First try local password hash verification + if let Ok(hash) = self.services.users.password_hash(&user_id).await { + password_verified = hash::verify_password(password, &hash).is_ok(); + } + + // If local password verification failed, try LDAP authentication + #[cfg(feature = "ldap")] + if !password_verified && self.services.server.config.ldap.enable { + // Search for user in LDAP to get their DN + if let Ok(dns) = self.services.users.search_ldap(&user_id).await { + if let Some((user_dn, _is_admin)) = dns.first() { + // Try to authenticate with LDAP + password_verified = self + .services + .users + .auth_ldap(user_dn, password) + .await + .is_ok(); + } } } + if !password_verified { + uiaainfo.auth_error = Some(StandardErrorBody { + kind: ErrorKind::forbidden(), + message: "Invalid username or password.".to_owned(), + }); + + return Ok((false, uiaainfo)); + } + // Password was correct! Let's add it to `completed` uiaainfo.completed.push(AuthType::Password); },