diff --git a/app/Models/Ldap.php b/app/Models/Ldap.php index e2b8ba12bd..907238ce41 100644 --- a/app/Models/Ldap.php +++ b/app/Models/Ldap.php @@ -176,16 +176,22 @@ class Ldap extends Model throw new Exception('Your app key has changed! Could not decrypt LDAP password using your current app key, so LDAP authentication has been disabled. Login with a local account, update the LDAP password and re-enable it in Admin > Settings.'); } - if (! $ldapbind = @ldap_bind($connection, $ldap_username, $ldap_pass)) { - throw new Exception('Could not bind to LDAP: '.ldap_error($connection)); - } - // TODO - this just "falls off the end" but the function states that it should return true or false - // unfortunately, one of the use cases for this function is wrong and *needs* for that failure mode to fire - // so I don't want to fix this right now. - // this method MODIFIES STATE on the passed-in $connection and just returns true or false (or, in this case, undefined) - // at the next refactor, this should be appropriately modified to be more consistent. - } - + if ( $ldap_username ) { + if (! $ldapbind = @ldap_bind($connection, $ldap_username, $ldap_pass)) { + throw new Exception('Could not bind to LDAP: '.ldap_error($connection)); + } + // TODO - this just "falls off the end" but the function states that it should return true or false + // unfortunately, one of the use cases for this function is wrong and *needs* for that failure mode to fire + // so I don't want to fix this right now. + // this method MODIFIES STATE on the passed-in $connection and just returns true or false (or, in this case, undefined) + // at the next refactor, this should be appropriately modified to be more consistent. + } else { + // LDAP should also work with anonymous bind (no dn, no password available) + if (! $ldapbind = @ldap_bind($connection )) { + throw new Exception('Could not bind to LDAP: '.ldap_error($connection)); + } + } + } /** * Parse and map LDAP attributes based on settings