From a7a25c4100d6c750e2717eb7d17e884a6cae393b Mon Sep 17 00:00:00 2001
From: Thomas Miceli <27960254+thomiceli@users.noreply.github.com>
Date: Thu, 14 Aug 2025 11:10:45 +0200
Subject: [PATCH] Fix LDAP with valid old password login (#497)

---
 internal/web/handlers/auth/password.go | 22 ++++++++++++++++------
 1 file changed, 16 insertions(+), 6 deletions(-)

diff --git a/internal/web/handlers/auth/password.go b/internal/web/handlers/auth/password.go
index ff8ab5c..24e57a6 100644
--- a/internal/web/handlers/auth/password.go
+++ b/internal/web/handlers/auth/password.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"errors"
+
 	"github.com/rs/zerolog/log"
 	"github.com/thomiceli/opengist/internal/auth/ldap"
 	passwordpkg "github.com/thomiceli/opengist/internal/auth/password"
@@ -124,15 +125,24 @@ func ProcessLogin(ctx *context.Context) error {
 		return ctx.ErrorRes(400, ctx.Tr("error.cannot-bind-data"), err)
 	}
 
-	if ldap.Enabled() {
-		if user, err = tryLdapLogin(ctx, dto.Username, dto.Password); err != nil {
-			return err
-		}
-	}
-	if user == nil {
+	localUser, err := db.GetUserByUsername(dto.Username)
+	hasLocalPassword := err == nil && localUser.Password != ""
+
+	if hasLocalPassword {
 		if user, err = tryDbLogin(ctx, dto.Username, dto.Password); user == nil {
 			return err
 		}
+	} else {
+		if ldap.Enabled() {
+			if user, err = tryLdapLogin(ctx, dto.Username, dto.Password); err != nil {
+				return err
+			}
+		}
+		if user == nil {
+			if user, err = tryDbLogin(ctx, dto.Username, dto.Password); user == nil {
+				return err
+			}
+		}
 	}
 
 	// handle MFA