Make LDAP bind failure cause an ldap_error, rather than an invalid_credentials

Mack Talcott · pboling · commit 6f6be75970db · 2025-11-06T02:58:19.000-07:00
Fixes #51
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -31,6 +31,8 @@ Please file a bug if you notice a violation of semantic versioning.
   - https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-11
 - Support for JSON bodies
 - Support custom LDAP attributes mapping
+- Raise a distinct error when LDAP server is unreachable
+  - Previously raised an invalid credentials authentication failure error, which is technically incorrect 
 
 ### Changed
 
diff --git a/lib/omniauth-ldap/adaptor.rb b/lib/omniauth-ldap/adaptor.rb
@@ -134,6 +134,8 @@ def bind_as(args = {})
         @last_password_policy_response = nil
         @connection.open do |me|
           rs = me.search(args)
+          raise ConnectionError.new("bind failed") unless rs
+
           if rs && rs.first
             dn = rs.first.dn
             if dn
diff --git a/spec/omniauth-ldap/adaptor_spec.rb b/spec/omniauth-ldap/adaptor_spec.rb
@@ -310,5 +310,14 @@ def mock_conn(opts = {})
       expect(@last_bind_args[:controls].first).to include(oid: ppolicy_oid)
       expect(adaptor.last_password_policy_response.oid).to eq(ppolicy_oid)
     end
+
+    it "should raise a ConnectionError if the bind fails" do
+      adaptor = OmniAuth::LDAP::Adaptor.new({host: "192.168.1.126", method: 'plain', base: 'dc=score, dc=local', port: 389, uid: 'sAMAccountName', bind_dn: 'bind_dn', password: 'password'})
+      expect(adaptor.connection).to receive(:open).and_yield(adaptor.connection)
+      # Net::LDAP#search returns nil if the operation was not successful
+      expect(adaptor.connection).to receive(:search).with(args).and_return(nil)
+      expect(adaptor.connection).not_to receive(:bind)
+      expect { adaptor.bind_as(args) }.to raise_error OmniAuth::LDAP::Adaptor::ConnectionError
+    end
   end
 end
