bugfix ldap

internal/auth/ldap.go

@@ -109,11 +109,13 @@ func (a *LDAPAuthenticator) AuthenticateAndFetchGroups(ctx context.Context, user
 	}
 	if whoami, err := conn.WhoAmI(nil); err != nil {
 		identity.Diagnostics = append(identity.Diagnostics, fmt.Sprintf("whoami_failed:%v", err))
-	} else if boundDN := strings.TrimSpace(strings.TrimPrefix(strings.TrimSpace(whoami.AuthzID), "dn:")); boundDN != "" {
+	} else if boundDN := parseWhoAmIDN(whoami.AuthzID); boundDN != "" {
 		identity.UserDN = boundDN
 		identity.Diagnostics = append(identity.Diagnostics, "whoami_dn_resolved")
-	} else {
+	} else if strings.TrimSpace(whoami.AuthzID) == "" {
 		identity.Diagnostics = append(identity.Diagnostics, "whoami_dn_empty")
+	} else {
+		identity.Diagnostics = append(identity.Diagnostics, "whoami_non_dn_authzid")
 	}
 
 	entry, lookupStrategy, err := a.lookupUserEntry(conn, username, identity.UserDN)
@@ -281,7 +283,10 @@ func (a *LDAPAuthenticator) buildTLSConfig() (*tls.Config, error) {
 }
 
 func (a *LDAPAuthenticator) lookupUserEntry(conn *ldap.Conn, username string, userDNHint string) (*ldap.Entry, string, error) {
-	dnCandidates := compactTrimmedStrings([]string{userDNHint})
+	dnCandidates := make([]string, 0, 2)
+	if looksLikeDN(userDNHint) {
+		dnCandidates = append(dnCandidates, strings.TrimSpace(userDNHint))
+	}
 	if looksLikeDN(username) {
 		dnCandidates = append(dnCandidates, strings.TrimSpace(username))
 	}
@@ -378,6 +383,22 @@ func looksLikeDN(value string) bool {
 	return strings.Contains(value, "=") && strings.Contains(value, ",")
 }
 
+func parseWhoAmIDN(authzID string) string {
+	authzID = strings.TrimSpace(authzID)
+	if authzID == "" {
+		return ""
+	}
+
+	lower := strings.ToLower(authzID)
+	if strings.HasPrefix(lower, "dn:") {
+		authzID = strings.TrimSpace(authzID[3:])
+	}
+	if !looksLikeDN(authzID) {
+		return ""
+	}
+	return authzID
+}
+
 func principalCandidates(username string) []string {
 	username = strings.TrimSpace(username)
 	if username == "" {