LDAP Source Bind from Federation & Social login is Broken Since Commit 1ca8feb

[ReaHe]

Describe the bug
LDAP Sources are broken since commit 1ca8feb. This is due to a double bind that is attempted on the Connection object. The second bind consistently causes a LDAPInvalidCredentailResult exception even if it is successful the first bind. I found this bug after updating Authentik to 2023.5.3 wondering why LDAP logins no longer worked. The LDAP backend is consistently changing passwords due to TOTP so a cached password was never hit always forcing a LDAP bind. Which is what made me find this issue.

To Reproduce

1. Set up a LDAP Source that works
2. Login in as any user using the LDAP Password for that users THATS NOT CACHED
3. User Always gets Invalid Credentials

Expected behavior
User should successfully login

Logs
None Provided

Version and Deployment (please complete the following information):

• authentik version: 2023.5.3
• Deployment: docker-compose

Additional context
I confirmed this bug on my own stack by creating multiple logging lines using LOGGER and checking DEBUG output. For some reason a second bind always causes this Exception with Authentik if the first was successful. I'm not sure if the state is reset per successful connection which is causing this. But by removing the extra bind performed in /authentik/sources/ldap/auth.py I no longer get erroneous invalid credential exceptions.

[septatrix]

I can confirm that this regression is present in 2023.5.3 whereas 2023.1.2 is working. We are seeing the same behaviour.

[BeryJu]

Yeah that extra bind here 1ca8feb#diff-8e72f28797d7b000f7675c5e282aed66bb14164300c9537fcb7cee8e0bfaa413R66 should be removed, however I wasn't able to reproduce any error testing against Samba

[ReaHe]

Thx for fixing it already and thats interesting that Samba did not have any errors. I am using FreeIPA which uses the 389 Directory Service (https://www.port389.org/). I've never used any LDAP features with Samba so I wonder how it and ldap3 (pip package) are communicating differently. I'm also curious if anonymous binds (or something similar) are allowed in your Samba setup, causing you to bypass the root of the issue. Regardless, thank you for fixing it!

[BeryJu]

The double bind doesn't really do anything wrong according to the LDAP spec, it opens an LDAP connection, sends a bind request, and afterwards sends another bind request on the same connection. Besides costing us some more time, it shouldn't cause any issues in theory

[septatrix]

We are running a custom LDAP server based on ldaptor so this might also be something which we should have a look into ourselves though no other client seemed to struggle with this so far.

[strazto]

Maybe related:
#5199