providers/ldap: fix inconsistent saving of user flags on failed cached binds (#6096)

* feat: assign invalid pk and check

* fix: only set flags if they don't exist

* fix: userinfo not being set if data is available

* minor cleanup

Signed-off-by: Jens Langhammer <jens@goauthentik.io>

---------

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
Co-authored-by: Jens Langhammer <jens@goauthentik.io>

internal/outpost/ldap/bind/direct/bind.go

@@ -36,8 +36,15 @@ func (db *DirectBinder) Bind(username string, req *bind.Request) (ldap.LDAPResul
 	passed, err := fe.Execute()
 	flags := flags.UserFlags{
 		Session: fe.GetSession(),
+		UserPk:  flags.InvalidUserPK,
+	}
+	// only set flags if we don't have flags for this DN yet
+	// as flags are only checked during the bind, we can remember whether a certain DN
+	// can search or not, as if they bind correctly first and then use incorrect credentials
+	// later, they won't get past this step anyways
+	if db.si.GetFlags(req.BindDN) == nil {
+		db.si.SetFlags(req.BindDN, &flags)
 	}
-	db.si.SetFlags(req.BindDN, &flags)
 	if err != nil {
 		metrics.RequestsRejected.With(prometheus.Labels{
 			"outpost_name": db.si.GetOutpostName(),