diff --git a/pkg/modules/auth/ldap/ldap.go b/pkg/modules/auth/ldap/ldap.go index 2467a2ed9..e8ad32a82 100644 --- a/pkg/modules/auth/ldap/ldap.go +++ b/pkg/modules/auth/ldap/ldap.go @@ -51,12 +51,6 @@ func InitializeLDAPConnection() { if config.AuthLdapBaseDN.GetString() == "" { log.Fatal("LDAP base DN is not configured") } - if config.AuthLdapBindDN.GetString() == "" { - log.Fatal("LDAP bind DN is not configured") - } - if config.AuthLdapBindPassword.GetString() == "" { - log.Fatal("LDAP bind password is not configured") - } if config.AuthLdapUserFilter.GetString() == "" { log.Fatal("LDAP user filter is not configured") } @@ -99,10 +93,17 @@ func ConnectAndBindToLDAPDirectory() (l *ldap.Conn, err error) { return nil, fmt.Errorf("could not connect to LDAP server: %w", err) } - err = l.Bind( - config.AuthLdapBindDN.GetString(), - config.AuthLdapBindPassword.GetString(), - ) + bindDN := config.AuthLdapBindDN.GetString() + bindPassword := config.AuthLdapBindPassword.GetString() + + if bindDN != "" && bindPassword != "" { + // Standard authentication + err = l.Bind(bindDN, bindPassword) + } else { + // Anonymous bind attempt (depending on the server, this call is explicit or automatic) + log.Info("No LDAP bind DN or password configured, attempting anonymous bind") + err = l.UnauthenticatedBind("") + } return } diff --git a/pkg/modules/auth/ldap/ldap_test.go b/pkg/modules/auth/ldap/ldap_test.go index c48c8db08..ca30ebff7 100644 --- a/pkg/modules/auth/ldap/ldap_test.go +++ b/pkg/modules/auth/ldap/ldap_test.go @@ -117,6 +117,37 @@ func TestLdapLogin(t *testing.T) { "avatar_provider": "ldap", }, false) }) + + t.Run("should bind anonymously", func(t *testing.T) { + // Backup original config + origBindDN := config.AuthLdapBindDN.GetString() + origBindPW := config.AuthLdapBindPassword.GetString() + defer func() { + config.AuthLdapBindDN.Set(origBindDN) + config.AuthLdapBindPassword.Set(origBindPW) + }() + + // Set empty bind credentials + config.AuthLdapBindDN.Set("") + config.AuthLdapBindPassword.Set("") + + db.LoadAndAssertFixtures(t) + s := db.NewSession() + defer s.Close() + + // Attempt to authenticate + // Note: This test might fail if the test LDAP server doesn't support anonymous bind, + // but it verifies the code path executes + user, err := AuthenticateUserInLDAP(s, "professor", "professor", false, "") + + // We mainly want to ensure we don't panic or error out due to missing config + if err != nil { + // If it fails, it should be an LDAP error, not a "configuration missing" error + require.NotContains(t, err.Error(), "configured") + } else { + assert.Equal(t, "professor", user.Username) + } + }) } func TestEscapeLDAPFilterValue(t *testing.T) {