From 4029e19b72763d022ba436f39c4af8f8de7e833c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Sun, 18 Jul 2021 22:22:35 +0200
Subject: [PATCH] outposts/ldap: fix order of flow check

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
---
 internal/outpost/ldap/bind.go          | 2 +-
 internal/outpost/ldap/instance_bind.go | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/internal/outpost/ldap/bind.go b/internal/outpost/ldap/bind.go
index c050b7184..0988850f4 100644
--- a/internal/outpost/ldap/bind.go
+++ b/internal/outpost/ldap/bind.go
@@ -8,8 +8,8 @@ import (
 )
 
 func (ls *LDAPServer) Bind(bindDN string, bindPW string, conn net.Conn) (ldap.LDAPResultCode, error) {
-	ls.log.WithField("bindDN", bindDN).Info("bind")
 	bindDN = strings.ToLower(bindDN)
+	ls.log.WithField("bindDN", bindDN).Info("bind")
 	for _, instance := range ls.providers {
 		username, err := instance.getUsername(bindDN)
 		if err == nil {
diff --git a/internal/outpost/ldap/instance_bind.go b/internal/outpost/ldap/instance_bind.go
index a3816ca1a..5954cd5ef 100644
--- a/internal/outpost/ldap/instance_bind.go
+++ b/internal/outpost/ldap/instance_bind.go
@@ -48,13 +48,13 @@ func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn ne
 	fe.Answers[outpost.StagePassword] = bindPW
 
 	passed, err := fe.Execute()
+	if !passed {
+		return ldap.LDAPResultInvalidCredentials, nil
+	}
 	if err != nil {
 		pi.log.WithField("bindDN", bindDN).WithError(err).Warning("failed to execute flow")
 		return ldap.LDAPResultOperationsError, nil
 	}
-	if !passed {
-		return ldap.LDAPResultInvalidCredentials, nil
-	}
 	access, err := fe.CheckApplicationAccess(pi.appSlug)
 	if !access {
 		pi.log.WithField("bindDN", bindDN).Info("Access denied for user")