Merge pull request #431 from TeskaLabs/fix/handle-ldap-invalid-creds

Catch and log ldap.INVALID_CREDENTIALS
TeskaLabs · Nov 28, 2024 · 3ee60d7 · 3ee60d7
2 parents 9f9bcf8 + c344d1c
commit 3ee60d7
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,11 +3,13 @@
 ## v24.45
 
 ### Pre-releases
+- v24.45-alpha4
 - v24.45-alpha3
 - v24.45-alpha2
 - v24.45-alpha1
 
 ### Fix
+- Catch and log ldap.INVALID_CREDENTIALS (#431, v24.45-alpha4)
 - Fix role error in provisioning startup (#428, v24.45-alpha2)
 - Log more details when message delivery fails (#427, v24.45-alpha1)
 

diff --git a/seacatauth/credentials/providers/ldap.py b/seacatauth/credentials/providers/ldap.py
@@ -108,6 +108,9 @@ async def get(self, credentials_id: str, include: typing.Optional[typing.Iterabl
 		except ldap.SERVER_DOWN:
 			L.warning("LDAP server is down.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
 			return None
+		except ldap.INVALID_CREDENTIALS:
+			L.error("Invalid LDAP credentials.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
+			return None
 
 
 	async def search(self, filter: dict = None, sort: dict = None, page: int = 0, limit: int = 0, **kwargs) -> list:
@@ -118,6 +121,9 @@ async def search(self, filter: dict = None, sort: dict = None, page: int = 0, li
 		except ldap.SERVER_DOWN:
 			L.warning("LDAP server is down.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
 			return []
+		except ldap.INVALID_CREDENTIALS:
+			L.error("Invalid LDAP credentials.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
+			return []
 
 
 	async def count(self, filtr=None) -> int:
@@ -127,6 +133,9 @@ async def count(self, filtr=None) -> int:
 		except ldap.SERVER_DOWN:
 			L.warning("LDAP server is down.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
 			return None
+		except ldap.INVALID_CREDENTIALS:
+			L.error("Invalid LDAP credentials.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
+			return None
 
 
 	async def iterate(self, offset: int = 0, limit: int = -1, filtr: str = None):
@@ -136,6 +145,9 @@ async def iterate(self, offset: int = 0, limit: int = -1, filtr: str = None):
 		except ldap.SERVER_DOWN:
 			L.warning("LDAP server is down.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
 			return
+		except ldap.INVALID_CREDENTIALS:
+			L.error("Invalid LDAP credentials.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
+			return
 		for i in results[offset:(None if limit == -1 else limit + offset)]:
 			yield i
 
@@ -146,6 +158,9 @@ async def locate(self, ident: str, ident_fields: dict = None, login_dict: dict =
 		except ldap.SERVER_DOWN:
 			L.warning("LDAP server is down.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
 			return None
+		except ldap.INVALID_CREDENTIALS:
+			L.error("Invalid LDAP credentials.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
+			return None
 
 
 	async def authenticate(self, credentials_id: str, credentials: dict) -> bool:
@@ -156,6 +171,9 @@ async def authenticate(self, credentials_id: str, credentials: dict) -> bool:
 		except ldap.SERVER_DOWN:
 			L.warning("LDAP server is down.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
 			return False
+		except ldap.INVALID_CREDENTIALS:
+			L.error("Invalid LDAP credentials.", struct_data={"provider_id": self.ProviderID, "uri": self.LdapUri})
+			return False
 
 
 	async def get_login_descriptors(self, credentials_id: str) -> typing.List[typing.Dict]: