From 691bebf6bada5d40a3c2577217f67d74d6093a55 Mon Sep 17 00:00:00 2001
From: DenebTM <deneb@screee.ee>
Date: Mon, 21 Oct 2024 14:58:27 +0200
Subject: [PATCH] actually validate that the LDAP bind succeeded

---
 src/auth/backends.rs | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/auth/backends.rs b/src/auth/backends.rs
index 55351b8..ff05b69 100644
--- a/src/auth/backends.rs
+++ b/src/auth/backends.rs
@@ -170,10 +170,22 @@ impl ValidateLogin for LdapBackend {
         {
             let (conn, mut ldap) = start_ldap_connection(&self.config).await?;
             drive!(conn);
-            ldap.simple_bind(&search_entry.dn, password.0.expose_secret())
-                .await?;
+            if let Err(ldap_error) = ldap
+                .simple_bind(&search_entry.dn, password.0.expose_secret())
+                .await?
+                .success()
+            {
+                event!(
+                    Level::TRACE,
+                    dn = search_entry.dn,
+                    ldap_error = ldap_error.to_string(),
+                    "LDAP bind failed"
+                );
+                return Err(AuthenticationError::InvalidUserOrPassword);
+            }
         }
 
+        event!(Level::INFO, dn = search_entry.dn, "LDAP bind succeeded");
         Ok(uid)
     }
 }