LDAP authentication requires the second search operation with user DN

[Saphar]

I configured Sympa with LDAP login and in the logs I can see that it finds the user and binds, but the authentication doesn't work, it says it doesn't find the user.

Version

Sympa 6.2.24

Installation method

apt install sympa

Expected behavior

Authenticate the user via LDAP.

Actual behavior

ERROR () - Provided password is incorrect

Additional information

sympa/auth.conf

ldap
	host				account.domain.com:983
	timeout				30
	suffix				ou=accounts,dc=domain,dc=com
	bind_dn                         cn=admin,dc=domain,dc=com
	bind_password		        XXXXXX
	get_dn_by_uid_filter		(uid=[sender])
	get_dn_by_email_filter		(maildrop=[sender])
	email_attribute			maildrop
	scope				sub
	use_tls				starttls
	ca_verify			required
	ca_path				/usr/local/share/ca-certificates
	ca_file				/usr/local/share/ca-certificates/cert.crt

logs

Oct 21 11:14:29 list wwsympa[1218]: debug3 Sympa::DatabaseDriver::LDAP::_connect() Bound to LDAP host "ldap://account.domain.com:983"
Oct 21 11:14:29 list wwsympa[1218]: debug2 Sympa::Database::connect() Connected to Database Sympa::DatabaseDriver::LDAP <bind_dn=cn=Test User,ou=users,ou=accounts,dc=domain,dc=com;ca_file=/usr/local/share/ca-certificates/cert.crt;ca_path=/usr/local/share/ca-certificates;ca_verify=required;host=ldap://account.domain.com:983;use_tls=starttls>
Oct 21 11:14:29 list wwsympa[1218]: debug3 Sympa::DatabaseDriver::LDAP::do_operation() Will perform operation "search"
Oct 21 11:14:29 list wwsympa[1218]: debug3 Sympa::Database::connect(Sympa::DatabaseDriver::LDAP <bind_dn=cn=Test User,ou=users,ou=accounts,dc=domain,dc=com;ca_file=/usr/local/share/ca-certificates/cert.crt;ca_path=/usr/local/share/ca-certificates;ca_verify=required;host=ldap://account.domain.com:983;use_tls=starttls>)
Oct 21 11:14:30 list wwsympa[1218]: debug3 Sympa::DatabaseDriver::LDAP::_connect() Bound to LDAP host "ldap://account.domain.com:983"
Oct 21 11:14:30 list wwsympa[1218]: debug2 Sympa::Database::connect() Connected to Database Sympa::DatabaseDriver::LDAP <bind_dn=cn=Test User,ou=users,ou=accounts,dc=domain,dc=com;ca_file=/usr/local/share/ca-certificates/cert.crt;ca_path=/usr/local/share/ca-certificates;ca_verify=required;host=ldap://account.domain.com:983;use_tls=starttls>
Oct 21 11:14:30 list wwsympa[1218]: err main::#1606 > main::do_login#3296 > Sympa::Auth::check_auth#63 > Sympa::Auth::ldap_authentication#277 > Sympa::DatabaseDriver::LDAP::do_operation#204 Unable to perform LDAP operation: No such object
Oct 21 11:14:30 list wwsympa[1218]: notice Sympa::Auth::ldap_authentication() No entry in the LDAP Directory Tree of account.domain.com:983
Oct 21 11:14:30 list wwsympa[1218]: err main::#1606 > main::do_login#3296 > Sympa::Auth::check_auth#81 Incorrect LDAP password
Oct 21 11:14:30 list wwsympa[1218]: notice main::do_login() Authentication failed

[Saphar]

My findings are that at first the Sympa authenticates against my LDAP tree with the bind username and password I supply. Then it performs a search finding the correct DN by the 'uid'. Then it binds with that DN and the password supplied by the user. Which is good!

But then Sympa will try to do another search, while bound as the logged in user, performing another search for the same 'uid', which theoretically should return the same DN. But, since in our LDAP tree we have very strict ACL rules, the user is not allowed to do such a query. I would say the second search query that's performed is redundant and unnecessary and generates this inconvenient side effect.

We worked around it by changing our ACL rules but it might be worth checking in to.

[ikedas]

I agree that the second LDAP SEARCH operation should be omitted. It is performed to get information with alternative email attribute, but it looks not actually used.

[ikedas]

PR above will avoid the second search operation. I'll merge it to include it in the next beta (maybe 6.2.39b.1 in the next year).