From d1198fc6c12ce3773694f38483dea54bec09f55c Mon Sep 17 00:00:00 2001
From: Jens Langhammer <jens.langhammer@beryju.org>
Date: Wed, 23 Jun 2021 00:24:05 +0200
Subject: [PATCH] sources/ldap: improve error handling when checking for
 password complexity on non-ad setups

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

#1067
---
 authentik/sources/ldap/password.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/authentik/sources/ldap/password.py b/authentik/sources/ldap/password.py
index 65c042b68..24c064cfc 100644
--- a/authentik/sources/ldap/password.py
+++ b/authentik/sources/ldap/password.py
@@ -60,14 +60,21 @@ class LDAPPasswordChanger:
     def check_ad_password_complexity_enabled(self) -> bool:
         """Check if DOMAIN_PASSWORD_COMPLEX is enabled"""
         root_dn = self.get_domain_root_dn()
-        root_attrs = self._source.connection.extend.standard.paged_search(
-            search_base=root_dn,
-            search_filter="(objectClass=*)",
-            search_scope=ldap3.BASE,
-            attributes=["pwdProperties"],
-        )
+        try:
+            root_attrs = self._source.connection.extend.standard.paged_search(
+                search_base=root_dn,
+                search_filter="(objectClass=*)",
+                search_scope=ldap3.BASE,
+                attributes=["pwdProperties"],
+            )
+        except ldap3.core.exceptions.LDAPAttributeError:
+            return False
         root_attrs = list(root_attrs)[0]
-        pwd_properties = PwdProperties(root_attrs["attributes"]["pwdProperties"])
+        raw_pwd_properties = root_attrs.get("attributes", {}).get("pwdProperties", None)
+        if raw_pwd_properties is None:
+            return False
+
+        pwd_properties = PwdProperties(raw_pwd_properties)
         if PwdProperties.DOMAIN_PASSWORD_COMPLEX in pwd_properties:
             return True