Support unauthenticated and anonymous bind

glide.yaml

@@ -1,7 +1,7 @@
 package: github.com/kismatic/kubernetes-ldap
 import:
 - package: github.com/go-ldap/ldap
-  version: 0e7db8eb77695b5a952f0e5d78df9ab160050c73
+  version: 0ae9f2495c4a9e5d436bc9a2b13a71a2fb06ddf3
   subpackages:
   - github.com\go-ldap\ldap
 - package: github.com/golang/glog

ldap/client.go

@@ -36,10 +36,17 @@ func (c *Client) Authenticate(username, password string) (*ldap.Entry, error) {
 	defer conn.Close()
 
 	// Bind user to perform the search
-	if c.SearchUserDN != "" && c.SearchUserPassword != "" {
-		err = conn.Bind(c.SearchUserDN, c.SearchUserPassword)
+	if c.SearchUserDN != "" {
+		if c.SearchUserPassword != "" {
+			// Authenticated bind
+			err = conn.Bind(c.SearchUserDN, c.SearchUserPassword)
+		} else {
+			// Unauthenticated bind (only username)
+			err = conn.UnauthenticatedBind(c.SearchUserDN)
+		}
 	} else {
-		err = conn.Bind(username, password)
+		// Anonymous bind
+		err = conn.UnauthenticatedBind("")
 	}
 	if err != nil {
 		return nil, fmt.Errorf("Error binding user to LDAP server: %v", err)
@@ -63,11 +70,9 @@ func (c *Client) Authenticate(username, password string) (*ldap.Entry, error) {
 	// Now that we know the user exists within the BaseDN scope
 	// let's do user bind to check credentials using the full DN instead of
 	// the attribute used for search
-	if c.SearchUserDN != "" && c.SearchUserPassword != "" {
-		err = conn.Bind(res.Entries[0].DN, password)
-		if err != nil {
-			return nil, fmt.Errorf("Error binding user %s, invalid credentials: %v", username, err)
-		}
+	err = conn.Bind(res.Entries[0].DN, password)
+	if err != nil {
+		return nil, fmt.Errorf("Error binding user %s, invalid credentials: %v", username, err)
 	}
 
 	// Single user entry found