avoid unnecessary ldap bind for first user login

models/ldap.go

@@ -185,12 +185,14 @@ func ldapConnect() *ldap.Conn {
 		InsecureSkipVerify: LdapInsecure,
 	}
 
+	log.Printf("ldapConnect initiating connection\n")
 	ldaps, err := ldap.DialTLS("tcp", LdapServer, tlsConfig)
 	if err != nil {
-		log.Printf("VerifyLdapCreds error connecting to LDAP bind address '%s' : '%s'\n", LdapServer, err)
+		log.Printf("VerifyLdapCreds error connecting to LDAP server '%s' : '%s'\n", LdapServer, err)
 		return nil
 	}
 
+	log.Printf("ldapConnect connection succeeded\n")
 	return ldaps
 }
 

models/user.go

@@ -93,9 +93,8 @@ func VerifyPassword(password, hashedPassword string) error {
 }
 
 func LoginCheck(username string, password string) (string, error) {
-
 	var err error
-
+	newLdapUser := false
 	u := User{}
 
 	// Query database for matching user object
@@ -119,6 +118,11 @@ func LoginCheck(username string, password string) (string, error) {
 				} else {
 					log.Printf("LoginCheck verified LDAP user successfully\n")
 					u = ldapUser
+
+					// Since this user wasn't in the database, they must have been logging in for the first time
+					// So we don't need to repeat the ldap bind and verification
+					newLdapUser = true
+
 				}
 			} else {
 				// LDAP is not enabled, if user is not in the database then they can't login
@@ -132,6 +136,7 @@ func LoginCheck(username string, password string) (string, error) {
 	//log.Printf("u: %v\n", u)
 
 	if !u.LdapUser {
+		// Locally defined user, perform password verification
 		err = VerifyPassword(password, u.Password)
 
 		if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
@@ -141,17 +146,24 @@ func LoginCheck(username string, password string) (string, error) {
 			log.Printf("LoginCheck verified password against stored hash.\n")
 		}
 	} else {
-		err := VerifyLdapCreds(username, password)
+		// LDAP user, verify credential if user wasn't logging in for the first time
+		if !newLdapUser {
+			err := VerifyLdapCreds(username, password)
 
-		if err != nil {
-			errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
-			log.Print(errString)
-			return "", errors.New(errString)
+			if err != nil {
+				errString := fmt.Sprintf("LoginCheck LDAP user bind unsuccessful : '%s'\n", err)
+				log.Print(errString)
+				return "", errors.New(errString)
+			} else {
+				log.Printf("LoginCheck successfully verified LDAP user\n")
+			}
 		} else {
-			log.Printf("LoginCheck successfully verified LDAP user\n")
+			log.Printf("LoginCheck no need to repeat LDAP bind for new user login\n")
 		}
 	}
 
+	// If we reached this point then the login was successful
+	// Generate a new token and return it to the user
 	token, err := token.GenerateToken(uint(u.UserId))
 
 	if err != nil {
@@ -191,9 +203,9 @@ func LdapLoginCheck(username string, password string) (User, error) {
 				u.RoleId = role.RoleId
 				matchFound = true
 				break
-			} else {
-				//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
-			}
+			} //else {
+			//log.Printf("Role '%s' with LDAP group '%s' not match user group '%s'\n", role.RoleName, role.LdapGroup, group)
+			//}
 		}
 	}