From ab2f909a9db3f418670098c3d12ecd291040ee4c Mon Sep 17 00:00:00 2001
From: louis-oui <47607835+louis-oui@users.noreply.github.com>
Date: Fri, 22 Nov 2019 15:38:42 +0100
Subject: [PATCH] Fix LDAP slow login and unable to login (#10872)

* Fix LDAP slow login
* Keep getUserList as is and implement fix in getUser function
* Split getUser function for CodeClimate
* Rewrite GetUser
* Fix no ldap auth when bind user configured - https://community.librenms.org/t/ldap-authentication-problem-with-webui/6115/2
---
 LibreNMS/Authentication/LdapAuthorizer.php | 25 +++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/LibreNMS/Authentication/LdapAuthorizer.php b/LibreNMS/Authentication/LdapAuthorizer.php
index 308dca018a..460172d647 100644
--- a/LibreNMS/Authentication/LdapAuthorizer.php
+++ b/LibreNMS/Authentication/LdapAuthorizer.php
@@ -9,6 +9,7 @@ use LibreNMS\Exceptions\LdapMissingException;
 class LdapAuthorizer extends AuthorizerBase
 {
     protected $ldap_connection;
+    private $userloginname = "";
 
     public function authenticate($credentials)
     {
@@ -16,7 +17,13 @@ class LdapAuthorizer extends AuthorizerBase
 
         if (!empty($credentials['username'])) {
             $username = $credentials['username'];
+            $this->userloginname = $username;
             if (!empty($credentials['password']) && ldap_bind($connection, $this->getFullDn($username), $credentials['password'])) {
+                // ldap_bind has done a bind with the user credentials. If binduser is configured, rebind with the auth_ldap_binduser
+                // normal user has restricted right to search in ldap. auth_ldap_binduser has full search rights
+                if ((Config::has('auth_ldap_binduser') || Config::has('auth_ldap_binddn')) && Config::has('auth_ldap_bindpassword')) {
+                    $this->bind();
+                }
                 $ldap_groups = $this->getGroupList();
                 if (empty($ldap_groups)) {
                     // no groups, don't check membership
@@ -198,10 +205,22 @@ class LdapAuthorizer extends AuthorizerBase
 
     public function getUser($user_id)
     {
-        foreach ($this->getUserlist() as $user) {
-            if ((int)$user['user_id'] === (int)$user_id) {
-                return $user;
+        $connection = $this->getLdapConnection();
+
+        $filter = '(' . Config::get('auth_ldap_prefix') . $this->userloginname . ')';
+        if (Config::get('auth_ldap_userlist_filter') != null) {
+            $filter = '(' . Config::get('auth_ldap_userlist_filter') . ')';
+        }
+        
+        $search = ldap_search($connection, trim(Config::get('auth_ldap_suffix'), ','), $filter);
+        $entries = ldap_get_entries($connection, $search);
+        foreach ($entries as $entry) {
+            $user = $this->ldapToUser($entry);
+            if ((int)$user['user_id'] !== (int)$user_id) {
+                continue;
             }
+            
+            return $user;
         }
         return 0;
     }