File fixing-issue-when-a-valid-token-is-generated-even-wh.patch of Package salt.10416

From 27a3cc9ebc871302d906163418a548006367b9e9 Mon Sep 17 00:00:00 2001
From: "Gareth J. Greenaway" <gareth@wiked.org>
Date: Thu, 2 Aug 2018 15:35:24 -0700
Subject: [PATCH] Fixing issue when a valid token is generated even when
 invalid user credentials are passed.  This change verifies that the binddn
 credentials are valid, then verifies that the username & password (if not
 None) are also valid.

---
 salt/auth/ldap.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/salt/auth/ldap.py b/salt/auth/ldap.py
index cbfb03a2f2..0b9aa69fe4 100644
--- a/salt/auth/ldap.py
+++ b/salt/auth/ldap.py
@@ -283,9 +283,15 @@ def auth(username, password):
         log.error('LDAP authentication requires python-ldap module')
         return False
 
-    # If bind credentials are configured, use them instead of user's
+    # If bind credentials are configured, verify that we can a valid bind
     if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
         bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+
+        # If username & password are not None, attempt to verify they are valid
+        if bind and username and password:
+            bind = _bind(username, password,
+                         anonymous=_config('auth_by_group_membership_only', mandatory=False)
+                         and _config('anonymous', mandatory=False))
     else:
         bind = _bind(username, password,
                      anonymous=_config('auth_by_group_membership_only', mandatory=False)
-- 
2.19.0