From 0bed9d5b01441876c194eb465e9ac4bf59e3d2fd Mon Sep 17 00:00:00 2001
From: Gou Zhuang <gouzhuang@gmail.com>
Date: Sun, 17 Dec 2017 17:29:10 +0800
Subject: [PATCH] handle NULL search result for group dn

---
 ngx_http_auth_ldap_module.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/ngx_http_auth_ldap_module.c b/ngx_http_auth_ldap_module.c
index 18d359b..e2f5ef7 100644
--- a/ngx_http_auth_ldap_module.c
+++ b/ngx_http_auth_ldap_module.c
@@ -2154,7 +2154,13 @@ ngx_http_auth_ldap_check_group(ngx_http_request_t *r, ngx_http_auth_ldap_ctx_t *
     /* Handle result of the search started during previous call */
     if (ctx->iteration > 0) {
         ctx->group_dn.data = ctx->dn.data;
-        if (ctx->group_dn.data != NULL) {
+        if (ctx->group_dn.data == NULL) {
+            ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "http_auth_ldap: ldap_search_ext() returned NULL result");
+            if (ctx->server->satisfy_all == 1) {
+                ctx->outcome = OUTCOME_DENY;
+                return NGX_DECLINED;
+            }
+        } else {
             if (ctx->error_code == LDAP_SUCCESS) {
                 if (ctx->server->satisfy_all == 0) {
                     ctx->outcome = OUTCOME_ALLOW;