Fix login troubles and make it behave as advertised

2019-04-03 20:26:30 +02:00 · 2019-04-03 20:26:30 +02:00 · 8bf9e44c82
commit 8bf9e44c82
parent 8bedeeffa7
2 changed files with 13 additions and 13 deletions
--- a/shell.nix
+++ b/shell.nix
@ -19,7 +19,7 @@ let
  '';

  override = oldAttrs: {
-    nativeBuildInputs = oldAttrs.nativeBuildInputs ++ (with pkgs; [ postgresql pgadmin ]) ++ (with haskellPackages; [ stack yesod-bin hlint cabal-install ]);
+    nativeBuildInputs = oldAttrs.nativeBuildInputs ++ (with pkgs; [ postgresql pgadmin openldap ]) ++ (with haskellPackages; [ stack yesod-bin hlint cabal-install ]);
    shellHook = ''
      export PROMPT_INFO="${oldAttrs.name}"

--- a/src/Auth/LDAP.hs
+++ b/src/Auth/LDAP.hs
@ -88,9 +88,14 @@ campusLogin conf@LdapConf{..} pool = AuthPlugin{..}
        FormMissing -> redirect LoginR
        FormSuccess CampusLogin{ campusIdent = CI.original -> campusIdent, ..} -> do
          ldapResult <- withLdap pool $ \ldap -> do
-            Ldap.bind ldap (Ldap.Dn campusIdent) (Ldap.Password $ Text.encodeUtf8 campusPassword)
            Ldap.bind ldap ldapDn ldapPassword
-            findUser conf ldap campusIdent [userPrincipalName]
+            searchResults <- findUser conf ldap campusIdent [userPrincipalName]
+            case searchResults of
+              [Ldap.SearchEntry (Ldap.Dn userDN) userAttrs] 
+                | Just [principalName] <- lookup userPrincipalName userAttrs
+                , Right credsIdent <- Text.decodeUtf8' principalName
+                -> Right (userDN, credsIdent) <$ Ldap.bind ldap (Ldap.Dn credsIdent) (Ldap.Password $ Text.encodeUtf8 campusPassword)
+              other -> return $ Left other
          case ldapResult of
            Left err
              | LdapError (Ldap.ResponseError (Ldap.ResponseErrorCode _ Ldap.InvalidCredentials _ _)) <- err
@ -100,16 +105,11 @@ campusLogin conf@LdapConf{..} pool = AuthPlugin{..}
              | otherwise -> do
                  $logErrorS "LDAP" $ "Error during login: " <> tshow err
                  loginErrorMessageI LoginR Msg.AuthError
-            Right searchResults
-              | [Ldap.SearchEntry (Ldap.Dn userDN) userAttrs] <- searchResults
-              , Just [principalName] <- lookup userPrincipalName userAttrs
-              , Right credsIdent <- Text.decodeUtf8' principalName
-                -> do
-                  $logDebugS "LDAP" $ tshow searchResults
-                  lift . setCredsRedirect $ Creds apName credsIdent [("DN", userDN)]
-              | otherwise -> do
-                  $logWarnS "LDAP" $ "Could not extract principal name: " <> tshow searchResults
-                  loginErrorMessageI LoginR Msg.AuthError
+            Right (Right (userDN, credsIdent)) ->
+              lift . setCredsRedirect $ Creds apName credsIdent [("DN", userDN)]
+            Right (Left searchResults) -> do
+              $logWarnS "LDAP" $ "Could not extract principal name: " <> tshow searchResults
+              loginErrorMessageI LoginR Msg.AuthError
    apDispatch _ _ = notFound
    apLogin toMaster = do
      (login, loginEnctype) <- handlerToWidget . generateFormPost $ renderAForm FormStandard campusForm