Allow authinticatied bind for listing LDAP groups

salt/auth/ldap.py

@@ -292,8 +292,9 @@ def auth(username, password):
     if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
         bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
     else:
-        bind = _bind(username, password, anonymous=_config('auth_by_group_membership_only', mandatory=False) and
-                                        _config('anonymous', mandatory=False))
+        bind = _bind(username, password,
+                     anonymous=_config('auth_by_group_membership_only', mandatory=False)
+                     and _config('anonymous', mandatory=False))
 
     if bind:
         log.debug('LDAP authentication successful')
@@ -320,8 +321,13 @@ def groups(username, **kwargs):
     '''
     group_list = []
 
-    # Perform un-authenticated bind to determine group membership
-    bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+    # If bind credentials are configured, use them instead of user's
+    if _config('binddn', mandatory=False) and _config('bindpw', mandatory=False):
+        bind = _bind_for_search(anonymous=_config('anonymous', mandatory=False))
+    else:
+        bind = _bind(username, kwargs.get('password', ''),
+                     anonymous=_config('auth_by_group_membership_only', mandatory=False)
+                     and _config('anonymous', mandatory=False))
 
     if bind:
         log.debug('ldap bind to determine group membership succeeded!')