From 181f2cc4b56ef90fe7577228686d749edf2a99c1 Mon Sep 17 00:00:00 2001
From: Katharina Drexel <katharina.drexel@bfh.ch>
Date: Wed, 20 Jul 2022 18:18:24 +0200
Subject: [PATCH 1/2] Fixed #9063: Ask LDAP for user DN, don't concatenate
 username+baseDN.

---
 app/Models/Ldap.php | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/app/Models/Ldap.php b/app/Models/Ldap.php
index 4c471476254c..b55292918aca 100644
--- a/app/Models/Ldap.php
+++ b/app/Models/Ldap.php
@@ -95,6 +95,7 @@ public static function findAndBindUserLdap($username, $password)
         $connection = self::connectToLdap();
         $ldap_username_field = $settings->ldap_username_field;
         $baseDn = $settings->ldap_basedn;
+	// userDn should *not* depend on baseDN if LDAP auth -> redeclared further down
         $userDn = $ldap_username_field.'='.$username.','.$settings->ldap_basedn;
 
         if ($settings->is_ad == '1') {
@@ -119,6 +120,25 @@ public static function findAndBindUserLdap($username, $password)
 
         \Log::debug('Filter query: '.$filterQuery);
 
+	// userDn should be independent from baseDn (maybe you want to search in >=2 subtrees)
+	// -> better ask LDAP for user dn, that's why it is for
+	if ($settings->is_ad != '1') {
+		$userresults = ldap_search($connection, $baseDn, $filterQuery);
+		$userentries = ldap_get_entries($connection, $userresults);
+		// Can be empty if user does not exist
+		if ( $userentries["count"] > 0 ) {
+			$dn = $userentries[0]['dn'];
+			if ( $dn ) {
+				\Log::debug('User dn is: ' .$dn);
+				$userDn = $dn;
+			} else {
+				\Log::debug('User dn is empty.');
+			}
+		} else {
+			\Log::debug('Status of LDAP entries for user ' .$username. ': no result.');
+		}
+	}
+
         if (! $ldapbind = @ldap_bind($connection, $userDn, $password)) {
             \Log::debug("Status of binding user: $userDn to directory: (directly!) ".($ldapbind ? "success" : "FAILURE"));
             if (! $ldapbind = self::bindAdminToLdap($connection)) {

From 7a59a9b16a8cfc0aee34a8d4635a1cd854cba1a0 Mon Sep 17 00:00:00 2001
From: Katharina Drexel <katharina.drexel@bfh.ch>
Date: Tue, 23 Aug 2022 09:45:16 +0200
Subject: [PATCH 2/2] Adding uberbradys proposals
 (https://github.com/snipe/snipe-it/pull/11544).

Signed-off-by: Katharina Drexel <katharina.drexel@bfh.ch>
---
 app/Models/Ldap.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/Models/Ldap.php b/app/Models/Ldap.php
index b55292918aca..94475f656918 100644
--- a/app/Models/Ldap.php
+++ b/app/Models/Ldap.php
@@ -126,7 +126,7 @@ public static function findAndBindUserLdap($username, $password)
 		$userresults = ldap_search($connection, $baseDn, $filterQuery);
 		$userentries = ldap_get_entries($connection, $userresults);
 		// Can be empty if user does not exist
-		if ( $userentries["count"] > 0 ) {
+		if ( $userentries["count"] == 1 ) {
 			$dn = $userentries[0]['dn'];
 			if ( $dn ) {
 				\Log::debug('User dn is: ' .$dn);
@@ -135,7 +135,7 @@ public static function findAndBindUserLdap($username, $password)
 				\Log::debug('User dn is empty.');
 			}
 		} else {
-			\Log::debug('Status of LDAP entries for user ' .$username. ': no result.');
+			\Log::debug('Status of LDAP entries for user ' .$username. ': ' .$userentries["count"]. ' result(s).');
 		}
 	}