grokability · Godmartinz · Sep 18, 2025 · Sep 22, 2025 · Sep 25, 2025 · Sep 30, 2025
@@ -302,14 +302,17 @@ public function login(Request $request)
         if (Setting::getSettings()->ldap_enabled) { // avoid hitting the $this->ldap
             LOG::debug('LDAP is enabled.');
             try {
-                LOG::debug('Attempting to log user in by LDAP authentication.');
                 $user = $this->loginViaLdap($request);
                 Auth::login($user, $request->input('remember'));
-
-                // If the user was unable to login via LDAP, log the error and let them fall through to
-            // local authentication.
             } catch (\Exception $e) {
-                Log::debug('There was an error authenticating the LDAP user: '.$e->getMessage());
+
+                Session::flash('error', $e->getMessage());
+                Log::warning("LDAP bind failed ({$e}");
+                return back()->withInput();
+            } catch (\Throwable $e) {
+                Session::flash('error', 'Login failed. Please try again.');
+                Log::error($e);
+                return back()->withInput();
             }
         }
 

@@ -97,7 +97,13 @@ public static function connectToLdap()
         ldap_set_option($connection, LDAP_OPT_NETWORK_TIMEOUT, 20);
 
         if ($ldap_use_tls=='1') {
-            ldap_start_tls($connection);
+            //suppresses the error and throws exception.
+            if (! @ldap_start_tls($connection)) {
+                $code = ldap_errno($connection);
+                $err  = ldap_error($connection);
+
+                throw new \Exception("Could not start TLS with LDAP (code $code): $err.");
+            }
         }
 
 
@@ -108,14 +114,15 @@ public static function connectToLdap()
     /**
      * Binds/authenticates the user to LDAP, and returns their attributes.
      *
-     * @author [A. Gianotto] [<snipe@snipe.net>]
-     * @since  [v3.0]
      * @param  $username
      * @param  $password
-     * @param  bool|false $user
+     * @param bool|false $user
      * @return bool true    if the username and/or password provided are valid
      *              false   if the username and/or password provided are invalid
      *         array of ldap_attributes if $user is true
+     * @throws Exception
+     * @since  [v3.0]
+     * @author [A. Gianotto] [<snipe@snipe.net>]
      */
     public static function findAndBindUserLdap($username, $password)
     {
@@ -147,7 +154,21 @@ public static function findAndBindUserLdap($username, $password)
 
         Log::debug('Filter query: '.$filterQuery);
 
+        //Suppressing the error and handling it to be more friendly
         if (! $ldapbind = @ldap_bind($connection, $userDn, $password)) {
+            $code = ldap_errno($connection);
+            $err  = ldap_error($connection);
+
+            Log::warning("LDAP bind FAILED for DN={$userDn} code={$code} error={$err}");
+
+            //More codes can be found under Client side result codes at ldap.com
+            $friendly = 'Invalid username or password.';
+
+            throw new Exception(
+                $friendly,
+                $code,
+            );
+        }
             Log::debug("Status of binding user: $userDn to directory: (directly!) ".($ldapbind ? "success" : "FAILURE"));
             if (! $ldapbind = self::bindAdminToLdap($connection)) {
                 /*
@@ -166,7 +187,6 @@ public static function findAndBindUserLdap($username, $password)
                 Log::debug("Status of binding Admin user: $userDn to directory instead: ".($ldapbind ? "success" : "FAILURE"));
                 return false;
             }
-        }
 
         if (! $results = ldap_search($connection, $baseDn, $filterQuery)) {
             throw new Exception('Could not search LDAP: ');