2010-10-11
stpierre
The getUserInfo() auth method in the LDAP auth class ensures that you are bound to the LDAP directory. If you are not bound, then it tries to bind using the session username/password. But if you are using LDAP as a one-time password gateway (e.g., RSA or Yubikey), then this rebind will always fail (silently). Enough failures and your account might get locked, depending on the policies set up at your site. For instance, if you use a plugin that calls getUserInfo() a lot, you could get hosed pretty quickly.
I know this is an edge case, but there should be a configuration option to tell the LDAP getUserInfo() implementation to bind anonymously rather than trying to rebind with the original login creds in those cases where the original creds may no longer be valid.
Looking at the code, this bug is still present in "Lazy Sunday."