From dfe1f11c92780ee96da660cae31c0d928a026520 Mon Sep 17 00:00:00 2001 From: "Crane.z" <1481445951@qq.com> Date: Wed, 8 Jul 2026 16:13:06 +0800 Subject: [PATCH] fix(auth): enforce LDAP login identity match --- apps/authentication/backends/ldap.py | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/apps/authentication/backends/ldap.py b/apps/authentication/backends/ldap.py index 83e5ef8f1..ed25fa1c5 100644 --- a/apps/authentication/backends/ldap.py +++ b/apps/authentication/backends/ldap.py @@ -99,8 +99,28 @@ class LDAPBaseBackend(LDAPBackend): return None user = self.authenticate_ldap_user(ldap_user, password) logger.info('Authenticate user: {}'.format(user)) + if not user: + return None + if not self._is_same_login_user(username, user): + return None return user if self.user_can_authenticate(user) else None + def _is_same_login_user(self, submitted_username, user): + query_field = self.settings.USER_QUERY_FIELD or self.get_user_model().USERNAME_FIELD + submitted = self._normalize_login_identity(submitted_username) + authenticated = self._normalize_login_identity(getattr(user, query_field, None)) + if not submitted or not authenticated: + return False + if submitted != authenticated: + return False + return True + + @staticmethod + def _normalize_login_identity(value): + if value is None: + return '' + return str(value).strip().casefold() + def pre_check(self, username, password): if not self.is_enabled(): error = 'Not enabled auth ldap'