--- a/src/modules/extra/m_ldapauth.cpp +++ b/src/modules/extra/m_ldapauth.cpp @@ -311,7 +311,7 @@ RAIILDAPMessage msg; std::string what = (attribute + "=" + (useusername ? user->ident : user->nick)); - if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS) + if ((res = ldap_search_ext_s(conn, base.c_str(), searchscope, what.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg)) != LDAP_SUCCESS || ldap_count_entries(conn, msg) < 1) { // Do a second search, based on password, if it contains a : // That is, PASS : will work. @@ -323,7 +323,7 @@ // free the old one. msg.dealloc(); - std::string cutpassword = user->password.substr(0, pos); + std::string cutpassword = (attribute + "=" + user->password.substr(0, pos)); res = ldap_search_ext_s(conn, base.c_str(), searchscope, cutpassword.c_str(), NULL, 0, NULL, NULL, NULL, 0, &msg); if (res == LDAP_SUCCESS) @@ -355,6 +355,15 @@ ServerInstance->SNO->WriteToSnoMask('c', "Forbidden connection from %s (LDAP search returned no results: %s)", user->GetFullRealHost().c_str(), ldap_err2string(res)); return false; } + + // if the password starts with name:, strip the name: from the password + // if the nick is different, then we discovered and fixed that earlier. + std::string tmp = ((useusername ? user->ident : user->nick) + ":"); + size_t tmppos = user->password.find(":"); + if (tmp.compare(0, tmp.length(), user->password, 0, tmp.length()) == 0) { + user->password = user->password.substr(tmppos + 1); + } + cred.bv_val = (char*)user->password.data(); cred.bv_len = user->password.length(); RAIILDAPString DN(ldap_get_dn(conn, entry));