From 70b185fe3d349f9cf3a58e49de34f3bd04be6d52 Mon Sep 17 00:00:00 2001
From: Vartan Simonian <vsimonianpress@gmail.com>
Date: Sun, 25 Oct 2015 23:14:53 -0700
Subject: [PATCH 1/2] Use correct variable when checking for LDAP groups

`connectUser` is the user object as defined by Anvil Connect, which does
not contain `_groups`. `user` is the user object returned by the AD/LDAP
client, which contains `_groups`.
---
 protocols/LDAP.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/protocols/LDAP.js b/protocols/LDAP.js
index 5b775174..a37ea025 100644
--- a/protocols/LDAP.js
+++ b/protocols/LDAP.js
@@ -66,7 +66,7 @@ function verifier (provider, config) {
 
     User.connect(req, null, user, function (err, connectUser, info) {
       if (err) { return done(err) }
-      if (connectUser && connectUser._groups) {
+      if (connectUser && user._groups) {
         // Put the distinguished names of the directory server groups the user is
         // in into an array.
         var rolesToAdd = user._groups.map(function (group) {

From d5dbcb1552607085368a0272d97467fcec08fa9f Mon Sep 17 00:00:00 2001
From: Vartan Simonian <vsimonianpress@gmail.com>
Date: Sun, 25 Oct 2015 23:23:50 -0700
Subject: [PATCH 2/2] Ensure AD/LDAP roles exist before assigning to user

Prior, a user with AD/LDAP groups without equivalent roles in Anvil
Connect would still have those roles assigned, creating user-to-role
relations in the database that referred to non-existent roles. This in
turn caused errors elsewhere in the server whenever the roles were
enumerated, in particular when attempting to dereference the `name`
property of a null role.
---
 protocols/LDAP.js | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/protocols/LDAP.js b/protocols/LDAP.js
index a37ea025..243d8cfa 100644
--- a/protocols/LDAP.js
+++ b/protocols/LDAP.js
@@ -116,10 +116,15 @@ function verifier (provider, config) {
 
             function (next) {
               async.each(rolesToAdd, function (roleName, callback) {
-                User.addRoles(connectUser, roleName, function (err, result) {
+                Role.get(roleName, function (err, role) {
                   if (err) { return callback(err) }
-                  rolesToAdd.splice(rolesToAdd.indexOf(roleName), 1)
-                  callback()
+                  if (!role) { return callback() }
+
+                  User.addRoles(connectUser, roleName, function (err, result) {
+                    if (err) { return callback(err) }
+                    rolesToAdd.splice(rolesToAdd.indexOf(roleName), 1)
+                    callback()
+                  })
                 })
               }, next)
             },