authlib: Avoid following LDAP referrals

nipap/nipap.conf.dist

@@ -113,7 +113,7 @@ db_path = /etc/nipap/local_auth.db     ; path to SQLite database used
 #
 #basedn = ou=Users,dc=example,dc=com       ; base DN
 #uri = ldaps://ldap.example.com            ; LDAP server URI
-#tls = False                            ; initiate TLS, use ldap://
+#tls = false                               ; initiate TLS, use ldap://
 #
 # LDAP style
 #binddn_fmt = uid={},ou=Users,dc=example,dc=com
@@ -209,4 +209,4 @@ secret_key = {{WWW_SECRET_KEY}}
 # Specify OTLP HTTP endpoint. Used to send traces to OpenTelemetry Collector but also used when proxying traces to OpenTelemetry-Collector from nipap-cli
 # otlp_http_endpoint=http://opentelemetry-collector:4318/v1/traces
 # Set sampler. Valid values are always_on, always_off, parentbased_always_on, parentbased_always_off, traceidratio and parentbased_traceidratio. Default is parentbased_always_on.
-# otel_traces_sampler = always_on
+# otel_traces_sampler = always_on

nipap/nipap/authlib.py

@@ -486,6 +486,10 @@ def __init__(self, name, username, password, authoritative_source, auth_options=
             self._logger.error('Unable to load Python ldap module, please verify it is installed')
             raise AuthError('Unable to authenticate')
 
+        # Avoid following referrals for now, as NIPAP doesn't support
+        # initializing a separate connection for them anyway.
+        ldap.set_option(ldap.OPT_REFERRALS, ldap.OPT_OFF)
+
         self._logger.debug('LDAP URI: ' + self._ldap_uri)
         self._ldap_conn = ldap.initialize(self._ldap_uri)
 
@@ -578,7 +582,8 @@ def authenticate(self):
                         self.readonly = True
 
         except ldap.LDAPError as exc:
-            raise AuthError(exc)
+            self._logger.error("Got LDAP error: %s", exc)
+            raise AuthError("LDAP server returned an error")
         except KeyError:
             raise AuthError('LDAP attribute missing')
         except IndexError: