From 6125e9fe06d37e98d707ff09bc10d90135d061df Mon Sep 17 00:00:00 2001
From: Jim Kitchen <james.kitchen@continuum.io>
Date: Fri, 22 Jul 2016 11:51:55 -0500
Subject: [PATCH] Get MAP_KEY results when logged in as actual user

Some LDAP systems let the bind_user see all attributes of another user, but some LDAP systems restrict what can be seen by the bind_user, especially if doing an anonymous bind. To make the MAP_KEY work as expected, re-search after connecting with the real user/password.

As an optimization, if a customer is happy with the results from the initial search, give them a config parameter to avoid the second search. This gives them functionality identical to today in case they need it. But it's opt-in to the old style. Doing nothing will give them the new behavior with MAP_KEY results when logged in as the actual user.
---
 flask_ldap_login/__init__.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/flask_ldap_login/__init__.py b/flask_ldap_login/__init__.py
index 907b329..fb55f63 100644
--- a/flask_ldap_login/__init__.py
+++ b/flask_ldap_login/__init__.py
@@ -160,14 +160,14 @@ def bind_search(self, username, password):
 
         ctx = {'username':username, 'password':password}
 
-        user = self.config['BIND_DN'] % ctx
+        bind_user = self.config['BIND_DN'] % ctx
 
         bind_auth = self.config['BIND_AUTH']
         try:
-            log.debug("Binding with the BIND_DN %s" % user)
-            self.conn.simple_bind_s(user, bind_auth)
+            log.debug("Binding with the BIND_DN %s" % bind_user)
+            self.conn.simple_bind_s(bind_user, bind_auth)
         except ldap.INVALID_CREDENTIALS:
-            msg = "Could not connect bind with the BIND_DN=%s" % user
+            msg = "Could not connect bind with the BIND_DN=%s" % bind_user
             log.debug(msg)
             if self._raise_errors:
                 raise ldap.INVALID_CREDENTIALS(msg)
@@ -184,17 +184,24 @@ def bind_search(self, username, password):
             log.debug("Search for base=%s filter=%s" % (base, filt))
             results = self.conn.search_s(base, scope, filt, attrlist=self.attrlist)
             if results:
+                user = results[0][0]
                 found_user = True
-                log.debug("User with DN=%s found" % results[0][0])
+                log.debug("User with DN=%s found" % user)
                 try:
-                    self.conn.simple_bind_s(results[0][0], password)
+                    self.conn.simple_bind_s(user, password)
                 except ldap.INVALID_CREDENTIALS:
-                    self.conn.simple_bind_s(user, bind_auth)
                     log.debug("Username/password mismatch, continue search...")
+                    # Re-bind as bind user to continue search
+                    self.conn.simple_bind_s(bind_user, bind_auth)
                     results = None
                     continue
                 else:
                     log.debug("Username/password OK")
+                    map_on_1st_search = self.config.get('MAP_ATTRS_ON_INITIAL_SEARCH', False)
+                    if not map_on_1st_search:
+                        # Re-run search now that we're bound using the correct user/pwd
+                        # LDAP installations often give a fuller set of results when logged in as the actual user
+                        results = self.conn.search_s(user, scope, attrlist=self.attrlist)
                     break
         if not results and self._raise_errors:
             msg = "No users found matching search criteria: {}".format(user_search)