LDAP auth: require exactly one result when searching for the LDAP user DN

This makes sure not fail securely when the query returns multiple entries - correct grammar in some cases - we're doing _authentication here, not authorization - uppercase LDAP in messages & comments - rename variable _ldap_version to _ldap_module_version to avoid misunderstanding it as LDAP's protocol version - align formatting & messages better between _login2() and _login3()
2025-04-03 21:27:36 +03:00 · 2024-12-29 07:16:27 +01:00 · 2024-12-29 07:16:27 +01:00 · c243ae4ebf
commit c243ae4ebf
parent 6f82333ff7
1 changed files with 6 additions and 5 deletions
--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@ -118,8 +118,9 @@ class Auth(auth.BaseAuth):
                filterstr=self._ldap_filter.format(login),
                attrlist=['memberOf']
            )
-            if len(res) == 0:
-                """User could not be found"""
+            if len(res) != 1:
+                """User could not be found unambiguously"""
+                logger.debug(f"_login2 no unique DN found for '{login}'")
                return ""
            user_entry = res[0]
            user_dn = user_entry[0]
@ -181,9 +182,9 @@ class Auth(auth.BaseAuth):
            search_scope=self.ldap3.SUBTREE,
            attributes=['memberOf']
        )
-        if len(conn.entries) == 0:
-            """User could not be found"""
-            logger.debug(f"_login3 user '{login}' cannot be found")
+        if len(conn.entries) != 1:
+            """User could not be found unambiguously"""
+            logger.debug(f"_login3 no unique DN found for '{login}'")
            return ""

        user_entry = conn.response[0]