Fixing issue when a valid token is generated even when invalid user credentials are passed. This change verifies that the binddn credentials are valid, then verifies that the username & password (if not None) are also valid.

salt/auth/ldap.py

@@ -283,9 +283,15 @@ def auth(username, password):
         log.error('LDAP authentication requires python-ldap module')
         return False
 
-    # If bind credentials are configured, use them instead of user's
+    # If bind credentials are configured, verify that we can a valid bind
     if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
         bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+
+        # If username & password are not None, attempt to verify they are valid
+        if bind and username and password:
+            bind = _bind(username, password,
+                         anonymous=_config('auth_by_group_membership_only', mandatory=False)
+                         and _config('anonymous', mandatory=False))
     else:
         bind = _bind(username, password,
                      anonymous=_config('auth_by_group_membership_only', mandatory=False)