From be3d58c55d162de276579f5f08ea68711d89a7d8 Mon Sep 17 00:00:00 2001
From: Peter Marschall <peter@adpm.de>
Date: Sun, 20 Jul 2025 13:58:37 +0200
Subject: [PATCH] LDAP auth: protect LDAP search with a try: .. except clause

Make sure to catch exceptions when searching for the user in LDAP,
log as error and fail gracefully by declining login.
---
 radicale/auth/ldap.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/radicale/auth/ldap.py b/radicale/auth/ldap.py
index e45aeb29..2c4d63c3 100644
--- a/radicale/auth/ldap.py
+++ b/radicale/auth/ldap.py
@@ -233,12 +233,16 @@ class Auth(auth.BaseAuth):
         """Search the user dn"""
         escaped_login = self.ldap3.utils.conv.escape_filter_chars(login)
         logger.debug(f"_login3 login escaped for LDAP filters: {escaped_login}")
-        conn.search(
-            search_base=self._ldap_base,
-            search_filter=self._ldap_filter.format(escaped_login),
-            search_scope=self.ldap3.SUBTREE,
-            attributes=self._ldap_attributes
-        )
+        try:
+            conn.search(
+                search_base=self._ldap_base,
+                search_filter=self._ldap_filter.format(escaped_login),
+                search_scope=self.ldap3.SUBTREE,
+                attributes=self._ldap_attributes
+            )
+        except Exception as e:
+            logger.error(f"_login3 LDAP search for {login} failed: {e}")
+            return ""
         if len(conn.entries) != 1:
             """User could not be found unambiguously"""
             logger.debug(f"_login3 no unique DN found for '{login}'")