From 5de1e98d3c7789255b055cad98933606ee021b98 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Fri, 22 Jul 2016 14:40:53 -0400
Subject: [PATCH] Fix LDAP DN building for empty RDN list

---
 data/users/externalldap.py |  9 +++++++--
 test/test_ldap.py          | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/data/users/externalldap.py b/data/users/externalldap.py
index ad885b8eb..33d58c813 100644
--- a/data/users/externalldap.py
+++ b/data/users/externalldap.py
@@ -60,8 +60,13 @@ class LDAPUsers(FederatedUsers):
     # Note: user_rdn is a list of RDN pieces (for historical reasons), and secondary_user_rds
     # is a list of RDN strings.
     relative_user_dns = [','.join(user_rdn)] + (secondary_user_rdns or [])
-    self._user_dns = [','.join(relative_dn.split(',') + base_dn)
-                      for relative_dn in relative_user_dns]
+
+    def get_full_rdn(relative_dn):
+      prefix = relative_dn.split(',') if relative_dn else []
+      return ','.join(prefix + base_dn)
+
+    # Create the set of full DN paths.
+    self._user_dns = [get_full_rdn(relative_dn) for relative_dn in relative_user_dns]
 
   def _get_ldap_referral_dn(self, referral_exception):
     logger.debug('Got referral: %s', referral_exception.args[0])
diff --git a/test/test_ldap.py b/test/test_ldap.py
index f00e62a4f..ed3217ed2 100644
--- a/test/test_ldap.py
+++ b/test/test_ldap.py
@@ -176,6 +176,28 @@ class TestLDAP(unittest.TestCase):
     (response, _) = self.ldap.verify_and_link_user('multientry', 'somepass')
     self.assertEquals(response.username, 'multientry')
 
+  def test_login_empty_userdn(self):
+    base_dn = ['ou=employees', 'dc=quay', 'dc=io']
+    admin_dn = 'uid=testy,ou=employees,dc=quay,dc=io'
+    admin_passwd = 'password'
+    user_rdn = []
+    uid_attr = 'uid'
+    email_attr = 'mail'
+    secondary_user_rdns = ['ou=otheremployees']
+
+    ldap = LDAPUsers('ldap://localhost', base_dn, admin_dn, admin_passwd, user_rdn,
+                     uid_attr, email_attr, secondary_user_rdns=secondary_user_rdns)
+
+    self.ldap = ldap
+
+    # Verify we can login.
+    (response, _) = self.ldap.verify_and_link_user('someuser', 'somepass')
+    self.assertEquals(response.username, 'someuser')
+
+    # Verify we can confirm the user.
+    (response, _) = self.ldap.confirm_existing_user('someuser', 'somepass')
+    self.assertEquals(response.username, 'someuser')
+
 if __name__ == '__main__':
   unittest.main()