diff --git a/src/main/java/com/gitblit/auth/LdapAuthProvider.java b/src/main/java/com/gitblit/auth/LdapAuthProvider.java index 5690073a9..f51c15aa4 100644 --- a/src/main/java/com/gitblit/auth/LdapAuthProvider.java +++ b/src/main/java/com/gitblit/auth/LdapAuthProvider.java @@ -321,7 +321,6 @@ public UserModel authenticate(String username, char[] password) { if (result != null && result.getEntryCount() == 1) { SearchResultEntry loggingInUser = result.getSearchEntries().get(0); String loggingInUserDN = loggingInUser.getDN(); - if (alreadyAuthenticated || isAuthenticated(ldapConnection, loggingInUserDN, new String(password))) { logger.debug("LDAP authenticated: " + username); @@ -438,7 +437,6 @@ private void setUserAttributes(UserModel user, SearchResultEntry userEntry) { private void getTeamsFromLdap(LDAPConnection ldapConnection, String simpleUsername, SearchResultEntry loggingInUser, UserModel user) { String loggingInUserDN = loggingInUser.getDN(); - // Clear the users team memberships - we're going to get them from LDAP user.teams.clear(); @@ -533,13 +531,22 @@ private SearchResult doSearch(LDAPConnection ldapConnection, String base, boolea } private boolean isAuthenticated(LDAPConnection ldapConnection, String userDn, String password) { + LDAPConnection authldapConnection = getLdapConnection(); try { - // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN - ldapConnection.bind(userDn, password); + if (settings.getBoolean(Keys.realm.ldap.groupQueryWithUser, false) + && !StringUtils.isEmpty(settings.getString(Keys.realm.ldap.username, "")) ) { + // bind authConnection to user + authldapConnection.bind(userDn, password); + } else { + // Binding will stop any LDAP-Injection Attacks since the searched-for user needs to bind to that DN + ldapConnection.bind(userDn, password); + } return true; } catch (LDAPException e) { logger.error("Error authenticating user", e); return false; + } finally { + authldapConnection.close(); } }