From 605713a18160592bd5f59a07eb08d06b180eb3e9 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Wed, 17 Jun 2020 11:28:05 +0200
Subject: [PATCH] better error messages on login

---
 lam/lib/account.inc     |   5 +-
 lam/lib/ldap.inc        |  49 ++++++++++-----
 lam/templates/login.php | 133 ++++++++++++++++++----------------------
 3 files changed, 96 insertions(+), 91 deletions(-)

diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index 2e4f2322..2f6ee42b 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -1487,8 +1487,9 @@ function getDefaultLDAPErrorString($server) {
 		logNewMessage(LOG_DEBUG, 'Password change failed because of ' . $extError);
 		$extError = _('Your password does not meet the password strength qualifications. Please retry with another one.');
 	}
-	$message = _('LDAP error, server says:') . ' ' . ldap_error($server);
-	if (!empty($extError)) {
+	$genericErrorMessage = ldap_error($server);
+	$message = _('LDAP error, server says:') . ' ' . $genericErrorMessage;
+	if (!empty($extError) && ($genericErrorMessage != $extError)) {
 		$message .= ' - ' . $extError;
 	}
 	return $message;
diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc
index db99d3a9..5c7db093 100644
--- a/lam/lib/ldap.inc
+++ b/lam/lib/ldap.inc
@@ -67,19 +67,19 @@ class Ldap{
 	}
 
 	/**
-	* Connects to the server using the given username and password
-	*
-	* @param string $user user name
-	* @param string $passwd password
-	* @param boolean $allowAnonymous specifies if anonymous binds are allowed
-	* @return mixed if connect succeeds the 0 is returned, else false or error number
-	*/
+	 * Connects to the server using the given username and password
+	 *
+	 * @param string $user user name
+	 * @param string $passwd password
+	 * @param boolean $allowAnonymous specifies if anonymous binds are allowed
+	 * @throws LAMException unable to connect
+	 */
 	public function connect($user, $passwd, $allowAnonymous=false) {
 		// close any prior connection
 		@$this->close();
 		// do not allow anonymous bind
 		if (!$allowAnonymous && ((!$user)||($user == "")||(!$passwd))) {
-			return false;
+			throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
 		}
 		// save password und username encrypted
 		$this->encrypt_login($user, $passwd);
@@ -94,17 +94,29 @@ class Ldap{
 			if ($bind) {
 				$return = ldap_errno($this->server);
 				$this->is_connected = true;
-				// return success number
-				return $return;
+				return;
 			}
 			// return error number
+			$errorNumber = ldap_errno($this->server);
+			$clientSource = empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'];
+			if (($errorNumber === False)
+				|| ($errorNumber == 81)) {
+				// connection failed
+				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
+				throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
+			}
+			elseif ($errorNumber == 49) {
+				// user name/password invalid. Return to login page.
+				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server));
+				throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server));
+			}
 			else {
-				return ldap_errno($this->server);
+				// other errors
+				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
+				throw new LAMException(_("LDAP error, server says:"),  "($errorNumber) " . getDefaultLDAPErrorString($this->server));
 			}
 		}
-		else {
-			return false;
-		}
+		throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
 	}
 
 	/** Closes connection to server */
@@ -121,8 +133,13 @@ class Ldap{
 	*/
 	public function server() {
 		if (!$this->is_connected) {
-			$this->connect($this->getUserName(), $this->getPassword());
-			$this->is_connected = true;
+			try {
+				$this->connect($this->getUserName(), $this->getPassword());
+				$this->is_connected = true;
+			}
+			catch (LAMException $e) {
+				logNewMessage(LOG_ERR, $e->getTitle() . ' ' . $e->getMessage());
+			}
 		}
 		return $this->server;
 	}
diff --git a/lam/templates/login.php b/lam/templates/login.php
index 4cb74df6..29281410 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -11,6 +11,7 @@ use \htmlGroup;
 use \htmlInputCheckbox;
 use \htmlButton;
 use \htmlStatusMessage;
+use LAMException;
 use \Ldap;
 use \htmlResponsiveRow;
 use \htmlDiv;
@@ -170,12 +171,13 @@ $manifestUrl = preg_replace('/\\?.*/', '', $manifestUrl);
 $_SESSION['header'] .= '<link rel="manifest" href="' . $manifestUrl . '/templates/manifest.php" crossorigin="use-credentials">';
 
 /**
-* Displays the login window.
-*
-* @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator
-* @param string $error_message error message to display
-*/
-function display_LoginPage($licenseValidator, $error_message) {
+ * Displays the login window.
+ *
+ * @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator
+ * @param string $error_message error message to display
+ * @param string $errorDetails error details
+ */
+function display_LoginPage($licenseValidator, $error_message, $errorDetails = null) {
 	$config_object = $_SESSION['config'];
 	$cfgMain = $_SESSION["cfgMain"];
 	logNewMessage(LOG_DEBUG, "Display login page");
@@ -405,7 +407,7 @@ function display_LoginPage($licenseValidator, $error_message) {
 							// error message
 							if(!empty($error_message)) {
 								$row->add(new \htmlSpacer(null, '5px'), 12);
-								$message = new htmlStatusMessage('ERROR', $error_message);
+								$message = new htmlStatusMessage('ERROR', $error_message, $errorDetails);
 								$message->colspan = 3;
 								$row->add($message, 12);
 							}
@@ -506,7 +508,7 @@ if(isset($_POST['checklogin'])) {
 	// search user in LDAP if needed
 	if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
 		$searchFilter = $_SESSION['config']->getLoginSearchFilter();
-		$searchFilter = str_replace('%USER%', $username ,$searchFilter);
+		$searchFilter = str_replace('%USER%', $username, $searchFilter);
 		$searchDN = '';
 		$searchPassword = '';
 		$configLoginSearchDn = $_SESSION['config']->getLoginSearchDN();
@@ -517,57 +519,58 @@ if(isset($_POST['checklogin'])) {
 		$searchSuccess = true;
 		$searchError = '';
 		$searchLDAP = new Ldap($_SESSION['config']);
-		$searchLDAPResult = $searchLDAP->connect($searchDN, $searchPassword, true);
-		if (! ($searchLDAPResult == 0)) {
-			$searchSuccess = false;
-			$searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . getDefaultLDAPErrorString($searchLDAP->server());
-		}
-		else {
-			$searchResult = ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
-			if ($searchResult) {
-				$searchInfo = ldap_get_entries($searchLDAP->server(), $searchResult);
-				if ($searchInfo) {
-					cleanLDAPResult($searchInfo);
-					if (sizeof($searchInfo) == 0) {
-						$searchSuccess = false;
-						$searchError = _('Wrong password/user name combination. Please try again.');
-					}
-					elseif (sizeof($searchInfo) > 1) {
-						$searchSuccess = false;
-						$searchError = _('The given user name matches multiple LDAP entries.');
-					}
-					else {
-						$username = $searchInfo[0]['dn'];
-					}
-				}
-				else {
-					$searchSuccess = false;
-					$searchError = _('Unable to find the user name in LDAP.');
-					if (ldap_errno($searchLDAP->server()) != 0) {
-						$searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
-					}
-				}
+		try {
+			$searchLDAP->connect($searchDN, $searchPassword, true);
+            $searchResult = ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
+            if ($searchResult) {
+                $searchInfo = ldap_get_entries($searchLDAP->server(), $searchResult);
+                if ($searchInfo) {
+                    cleanLDAPResult($searchInfo);
+                    if (sizeof($searchInfo) == 0) {
+                        $searchSuccess = false;
+                        $searchError = _('Wrong password/user name combination. Please try again.');
+                    }
+                    elseif (sizeof($searchInfo) > 1) {
+                        $searchSuccess = false;
+                        $searchError = _('The given user name matches multiple LDAP entries.');
+                    }
+                    else {
+                        $username = $searchInfo[0]['dn'];
+                    }
+                }
+                else {
+                    $searchSuccess = false;
+                    $searchError = _('Unable to find the user name in LDAP.');
+                    if (ldap_errno($searchLDAP->server()) != 0) {
+                        $searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
+                    }
+                }
+            }
+            else {
+                $searchSuccess = false;
+                $searchError = _('Unable to find the user name in LDAP.');
+                if (ldap_errno($searchLDAP->server()) != 0) {
+                    $searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
+                }
+            }
+			if (!$searchSuccess) {
+				$error_message = $searchError;
+				logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
+				$searchLDAP->close();
+				display_LoginPage($licenseValidator, $error_message);
+				exit();
 			}
-			else {
-				$searchSuccess = false;
-				$searchError = _('Unable to find the user name in LDAP.');
-				if (ldap_errno($searchLDAP->server()) != 0) {
-					$searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
-				}
-			}
-		}
-		if (!$searchSuccess) {
-			$error_message = $searchError;
-			logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
 			$searchLDAP->close();
-			display_LoginPage($licenseValidator, $error_message);
-			exit();
 		}
-		$searchLDAP->close();
+        catch (LAMException $e) {
+	        $searchLDAP->close();
+	        display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage());
+	        exit();
+        }
 	}
 	// try to connect to LDAP
-	$result = $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifying username/password
-	if($result === 0) {// Username/password correct. Do some configuration and load main frame.
+    try {
+	    $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifying username/password
 		$_SESSION['loggedIn'] = true;
 		// set security settings for session
 		$_SESSION['sec_session_id'] = session_id();
@@ -586,26 +589,10 @@ if(isset($_POST['checklogin'])) {
 		}
 		die();
 	}
-	else {
-		if (($result === False)
-				|| ($result == 81)) {
-			// connection failed
-			$error_message = _("Cannot connect to specified LDAP server. Please try again.");
-			logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
-		}
-		elseif ($result == 49) {
-			// user name/password invalid. Return to login page.
-			$error_message = _("Wrong password/user name combination. Please try again.");
-			logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (wrong password).');
-		}
-		else {
-			// other errors
-			$error_message = _("LDAP error, server says:") .  "\n<br>($result) " . ldap_err2str($result);
-			logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
-		}
-		display_LoginPage($licenseValidator, $error_message);
+	catch (LAMException $e) {
+		display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage());
 		exit();
-	}
+    }
 }
 
 //displays the login window