From 50172e58d8f8b9baee987df024690e1a844f4b46 Mon Sep 17 00:00:00 2001
From: "Langhammer, Jens" <jens.langhammer@haufe-lexware.com>
Date: Sat, 12 Oct 2019 14:00:34 +0200
Subject: [PATCH] sources/ldap(minor): save ldap password for user upon
 successful bind

---
 passbook/sources/ldap/connector.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/passbook/sources/ldap/connector.py b/passbook/sources/ldap/connector.py
index 9e2871be5..d5735a3d5 100644
--- a/passbook/sources/ldap/connector.py
+++ b/passbook/sources/ldap/connector.py
@@ -142,10 +142,26 @@ class Connector:
         users = User.objects.filter(**filters)
         if not users.exists():
             return None
-        user = users.first()
+        user: User = users.first()
         if 'distinguishedName' not in user.attributes:
             LOGGER.debug("User doesn't have DN set, assuming not LDAP imported.", user=user)
             return None
+        # Either has unusable password,
+        # or has a password, but couldn't be authenticated by ModelBackend.
+        # This means we check with a bind to see if the LDAP password has changed
+        if self.auth_user_by_bind(user, password):
+            # Password given successfully binds to LDAP, so we save it in our Database
+            LOGGER.debug("Updating user's password in DB", user=user)
+            user.set_password(password)
+            user.save()
+            return user
+        # Password doesn't match
+        LOGGER.debug("Failed to bind, password invalid")
+        return None
+
+    def auth_user_by_bind(self, user: User, password: str) -> Optional[User]:
+        """Attempt authentication by binding to the LDAP server as `user`. This
+        method should be avoided as its slow to do the bind."""
         # Try to bind as new user
         LOGGER.debug("Attempting Binding as user", user=user)
         try: