From c9351807e9c4d46662257b85f106877e1198c542 Mon Sep 17 00:00:00 2001
From: Dobrica Pavlinusic <dpavlin@rot13.org>
Date: Wed, 12 Mar 2014 10:45:09 +0100
Subject: [PATCH] Bug 8148 - LDAP auth_by_bind doesn't fallback to local auth

This patch covers LDAP auth_by_bind configuration so that wrong
LDAP password will return -1 to C4::Auth so we can abort local auth
and prevent users logging in with stale database passwords.

Signed-off-by: Martin Renvoize <martin.renvoize@ptfs-europe.com>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
---
 C4/Auth.pm           | 2 +-
 C4/Auth_with_ldap.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/C4/Auth.pm b/C4/Auth.pm
index c2faf8d7e4..2b8a0365b0 100644
--- a/C4/Auth.pm
+++ b/C4/Auth.pm
@@ -1543,7 +1543,7 @@ sub checkpw {
     if ($ldap) {
         $debug and print STDERR "## checkpw - checking LDAP\n";
         my ($retval,$retcard,$retuserid) = checkpw_ldap(@_);    # EXTERNAL AUTH
-        return 0 if $retval == -1;
+        return 0 if $retval == -1; # Incorrect password for LDAP login attempt
         ($retval) and return ($retval,$retcard,$retuserid);
     }
 
diff --git a/C4/Auth_with_ldap.pm b/C4/Auth_with_ldap.pm
index cf120e6919..b42506dfbe 100644
--- a/C4/Auth_with_ldap.pm
+++ b/C4/Auth_with_ldap.pm
@@ -146,7 +146,7 @@ sub checkpw_ldap {
         my $res = $db->bind( $principal_name, password => $password );
         if ( $res->code ) {
             warn "LDAP bind failed as kohauser $userid: " . description($res);
-            return 0;
+            return -1;
         }
         if ( !defined($userldapentry)
             && ( $config{update} or $config{replicate} ) )
-- 
2.39.5