From 521ee34899f3de80b183b8d6756eab86fcf2b69b Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Wed, 24 Feb 2021 14:42:29 +0100
Subject: [PATCH] ldap: differentiate errors during bind (#51353)

---
 src/authentic2/backends/ldap_backend.py | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py
index 28f212e3..85e5b8a0 100644
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@@ -1449,8 +1449,13 @@ class LDAPBackend(object):
             return False, u'invalid credentials'
         except ldap.INVALID_DN_SYNTAX:
             return False, u'invalid dn syntax %s' % who
-        except (ldap.TIMEOUT, ldap.CONNECT_ERROR, ldap.SERVER_DOWN):
-            return False, u'ldap is down'
+        except ldap.CONNECT_ERROR:
+            log.error('connection to %r failed, did you forget to declare the TLS certificate '
+                      'in /etc/ldap/ldap.conf ?', block['url'])
+        except ldap.TIMEOUT:
+            log.error('connection to %r timed out', block['url'])
+        except ldap.SERVER_DOWN:
+            log.error('ldap authentication error: %r is down', block['url'])
 
     @classmethod
     def get_connection(cls, block, credentials=()):
-- 
2.20.1