diff --git a/apps/authentication/backends/ldap.py b/apps/authentication/backends/ldap.py index 83e5ef8f1..ed25fa1c5 100644 --- a/apps/authentication/backends/ldap.py +++ b/apps/authentication/backends/ldap.py @@ -99,8 +99,28 @@ class LDAPBaseBackend(LDAPBackend): return None user = self.authenticate_ldap_user(ldap_user, password) logger.info('Authenticate user: {}'.format(user)) + if not user: + return None + if not self._is_same_login_user(username, user): + return None return user if self.user_can_authenticate(user) else None + def _is_same_login_user(self, submitted_username, user): + query_field = self.settings.USER_QUERY_FIELD or self.get_user_model().USERNAME_FIELD + submitted = self._normalize_login_identity(submitted_username) + authenticated = self._normalize_login_identity(getattr(user, query_field, None)) + if not submitted or not authenticated: + return False + if submitted != authenticated: + return False + return True + + @staticmethod + def _normalize_login_identity(value): + if value is None: + return '' + return str(value).strip().casefold() + def pre_check(self, username, password): if not self.is_enabled(): error = 'Not enabled auth ldap'