Move user password verification after checking his groups on ldap auth (go-gitea#19587)

In case the binded user can not access its own attributes.

Signed-off-by: Gwilherm Folliot <[email protected]>

Co-authored-by: wxiaoguang <[email protected]>

Author: 2 people

services/auth/source/ldap/source_search.go

@@ -433,14 +433,6 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		isRestricted = checkRestricted(l, ls, userDN)
 	}
 
-	if !directBind && ls.AttributesInBind {
-		// binds user (checking password) after looking-up attributes in BindDN context
-		err = bindUser(l, userDN, passwd)
-		if err != nil {
-			return nil
-		}
-	}
-
 	if isAtributeAvatarSet {
 		Avatar = sr.Entries[0].GetRawAttributeValue(ls.AttributeAvatar)
 	}
@@ -451,6 +443,14 @@ func (ls *Source) SearchEntry(name, passwd string, directBind bool) *SearchResul
 		teamsToAdd, teamsToRemove = ls.getMappedMemberships(l, uid)
 	}
 
+	if !directBind && ls.AttributesInBind {
+		// binds user (checking password) after looking-up attributes in BindDN context
+		err = bindUser(l, userDN, passwd)
+		if err != nil {
+			return nil
+		}
+	}
+
 	return &SearchResult{
 		LowerName:      strings.ToLower(username),
 		Username:       username,