From d64a3e33cc06fafdd361fef5be6c15b1eb34c530 Mon Sep 17 00:00:00 2001
From: Ramkumar Chinchani <rchincha@cisco.com>
Date: Wed, 15 Jan 2020 09:37:17 -0800
Subject: [PATCH] authN: first try local htpasswd then LDAP

We are noticing that LDAP connectivity issues and timeouts can affect
authN behavior from client side (which can timeout as well).

Instead, put local authN first so at least we have a reliable authN
method.

But, the caveat is that it is best if the local and LDAP user list
doesn't overlap.
---
 pkg/api/auth.go | 28 +++++++++++++---------------
 1 file changed, 13 insertions(+), 15 deletions(-)

diff --git a/pkg/api/auth.go b/pkg/api/auth.go
index d38272b92..729ea2c7e 100644
--- a/pkg/api/auth.go
+++ b/pkg/api/auth.go
@@ -142,7 +142,17 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
 			username := pair[0]
 			passphrase := pair[1]
 
-			// prefer LDAP if configured
+			// first, HTTPPassword authN (which is local)
+			passphraseHash, ok := credMap[username]
+			if ok {
+				if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err == nil {
+					// Process request
+					next.ServeHTTP(w, r)
+					return
+				}
+			}
+
+			// next, LDAP if configured (network-based which can lose connectivity)
 			if c.Config.HTTP.Auth != nil && c.Config.HTTP.Auth.LDAP != nil {
 				ok, _, err := ldapClient.Authenticate(username, passphrase)
 				if ok && err == nil {
@@ -152,20 +162,8 @@ func BasicAuthHandler(c *Controller) mux.MiddlewareFunc {
 				}
 			}
 
-			// fallback to HTTPPassword
-			passphraseHash, ok := credMap[username]
-			if !ok {
-				authFail(w, realm, delay)
-				return
-			}
-
-			if err := bcrypt.CompareHashAndPassword([]byte(passphraseHash), []byte(passphrase)); err != nil {
-				authFail(w, realm, delay)
-				return
-			}
-
-			// Process request
-			next.ServeHTTP(w, r)
+			authFail(w, realm, delay)
+			return
 		})
 	}
 }