WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

better error messages on login

This commit is contained in:
Roland Gruber 2020-06-17 11:28:05 +02:00
parent fd8e7c1de3
commit 605713a181
3 changed files with 96 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lam/lib/account.inc
View File

@ -1487,8 +1487,9 @@ function getDefaultLDAPErrorString($server) {
logNewMessage(LOG_DEBUG, 'Password change failed because of ' . $extError); logNewMessage(LOG_DEBUG, 'Password change failed because of ' . $extError);
$extError = _('Your password does not meet the password strength qualifications. Please retry with another one.'); $extError = _('Your password does not meet the password strength qualifications. Please retry with another one.');
} }
$message = _('LDAP error, server says:') . ' ' . ldap_error($server); $genericErrorMessage = ldap_error($server);
if (!empty($extError)) { $message = _('LDAP error, server says:') . ' ' . $genericErrorMessage;
if (!empty($extError) && ($genericErrorMessage != $extError)) {
$message .= ' - ' . $extError; $message .= ' - ' . $extError;
} }
return $message; return $message;

49
lam/lib/ldap.inc
View File

@ -67,19 +67,19 @@ class Ldap{
} }
/** /**
* Connects to the server using the given username and password * Connects to the server using the given username and password
* *
* @param string $user user name * @param string $user user name
* @param string $passwd password * @param string $passwd password
* @param boolean $allowAnonymous specifies if anonymous binds are allowed * @param boolean $allowAnonymous specifies if anonymous binds are allowed
* @return mixed if connect succeeds the 0 is returned, else false or error number * @throws LAMException unable to connect
*/ */
public function connect($user, $passwd, $allowAnonymous=false) { public function connect($user, $passwd, $allowAnonymous=false) {
// close any prior connection // close any prior connection
@$this->close(); @$this->close();
// do not allow anonymous bind // do not allow anonymous bind
if (!$allowAnonymous && ((!$user)||($user == "")||(!$passwd))) { if (!$allowAnonymous && ((!$user)||($user == "")||(!$passwd))) {
return false; throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
} }
// save password und username encrypted // save password und username encrypted
$this->encrypt_login($user, $passwd); $this->encrypt_login($user, $passwd);
@ -94,17 +94,29 @@ class Ldap{
if ($bind) { if ($bind) {
$return = ldap_errno($this->server); $return = ldap_errno($this->server);
$this->is_connected = true; $this->is_connected = true;
// return success number return;
return $return;
} }
// return error number // return error number
$errorNumber = ldap_errno($this->server);
$clientSource = empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'];
if (($errorNumber === False)
|| ($errorNumber == 81)) {
// connection failed
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
}
elseif ($errorNumber == 49) {
// user name/password invalid. Return to login page.
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server));
throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server));
}
else { else {
return ldap_errno($this->server); // other errors
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server));
} }
} }
else { throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
return false;
}
} }
/** Closes connection to server */ /** Closes connection to server */
@ -121,8 +133,13 @@ class Ldap{
*/ */
public function server() { public function server() {
if (!$this->is_connected) { if (!$this->is_connected) {
$this->connect($this->getUserName(), $this->getPassword()); try {
$this->is_connected = true; $this->connect($this->getUserName(), $this->getPassword());
$this->is_connected = true;
}
catch (LAMException $e) {
logNewMessage(LOG_ERR, $e->getTitle() . ' ' . $e->getMessage());
}
} }
return $this->server; return $this->server;
} }

133
lam/templates/login.php
View File

@ -11,6 +11,7 @@ use \htmlGroup;
use \htmlInputCheckbox; use \htmlInputCheckbox;
use \htmlButton; use \htmlButton;
use \htmlStatusMessage; use \htmlStatusMessage;
use LAMException;
use \Ldap; use \Ldap;
use \htmlResponsiveRow; use \htmlResponsiveRow;
use \htmlDiv; use \htmlDiv;
@ -170,12 +171,13 @@ $manifestUrl = preg_replace('/\\?.*/', '', $manifestUrl);
$_SESSION['header'] .= '<link rel="manifest" href="' . $manifestUrl . '/templates/manifest.php" crossorigin="use-credentials">'; $_SESSION['header'] .= '<link rel="manifest" href="' . $manifestUrl . '/templates/manifest.php" crossorigin="use-credentials">';
/** /**
* Displays the login window. * Displays the login window.
* *
* @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator * @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator
* @param string $error_message error message to display * @param string $error_message error message to display
*/ * @param string $errorDetails error details
function display_LoginPage($licenseValidator, $error_message) { */
function display_LoginPage($licenseValidator, $error_message, $errorDetails = null) {
$config_object = $_SESSION['config']; $config_object = $_SESSION['config'];
$cfgMain = $_SESSION["cfgMain"]; $cfgMain = $_SESSION["cfgMain"];
logNewMessage(LOG_DEBUG, "Display login page"); logNewMessage(LOG_DEBUG, "Display login page");
@ -405,7 +407,7 @@ function display_LoginPage($licenseValidator, $error_message) {
// error message // error message
if(!empty($error_message)) { if(!empty($error_message)) {
$row->add(new \htmlSpacer(null, '5px'), 12); $row->add(new \htmlSpacer(null, '5px'), 12);
$message = new htmlStatusMessage('ERROR', $error_message); $message = new htmlStatusMessage('ERROR', $error_message, $errorDetails);
$message->colspan = 3; $message->colspan = 3;
$row->add($message, 12); $row->add($message, 12);
} }
@ -506,7 +508,7 @@ if(isset($_POST['checklogin'])) {
// search user in LDAP if needed // search user in LDAP if needed
if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) { if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
$searchFilter = $_SESSION['config']->getLoginSearchFilter(); $searchFilter = $_SESSION['config']->getLoginSearchFilter();
$searchFilter = str_replace('%USER%', $username ,$searchFilter); $searchFilter = str_replace('%USER%', $username, $searchFilter);
$searchDN = ''; $searchDN = '';
$searchPassword = ''; $searchPassword = '';
$configLoginSearchDn = $_SESSION['config']->getLoginSearchDN(); $configLoginSearchDn = $_SESSION['config']->getLoginSearchDN();
@ -517,57 +519,58 @@ if(isset($_POST['checklogin'])) {
$searchSuccess = true; $searchSuccess = true;
$searchError = ''; $searchError = '';
$searchLDAP = new Ldap($_SESSION['config']); $searchLDAP = new Ldap($_SESSION['config']);
$searchLDAPResult = $searchLDAP->connect($searchDN, $searchPassword, true); try {
if (! ($searchLDAPResult == 0)) { $searchLDAP->connect($searchDN, $searchPassword, true);
$searchSuccess = false; $searchResult = ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
$searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . getDefaultLDAPErrorString($searchLDAP->server()); if ($searchResult) {
} $searchInfo = ldap_get_entries($searchLDAP->server(), $searchResult);
else { if ($searchInfo) {
$searchResult = ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER); cleanLDAPResult($searchInfo);
if ($searchResult) { if (sizeof($searchInfo) == 0) {
$searchInfo = ldap_get_entries($searchLDAP->server(), $searchResult); $searchSuccess = false;
if ($searchInfo) { $searchError = _('Wrong password/user name combination. Please try again.');
cleanLDAPResult($searchInfo); }
if (sizeof($searchInfo) == 0) { elseif (sizeof($searchInfo) > 1) {
$searchSuccess = false; $searchSuccess = false;
$searchError = _('Wrong password/user name combination. Please try again.'); $searchError = _('The given user name matches multiple LDAP entries.');
} }
elseif (sizeof($searchInfo) > 1) { else {
$searchSuccess = false; $username = $searchInfo[0]['dn'];
$searchError = _('The given user name matches multiple LDAP entries.'); }
} }
else { else {
$username = $searchInfo[0]['dn']; $searchSuccess = false;
} $searchError = _('Unable to find the user name in LDAP.');
} if (ldap_errno($searchLDAP->server()) != 0) {
else { $searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
$searchSuccess = false; }
$searchError = _('Unable to find the user name in LDAP.'); }
if (ldap_errno($searchLDAP->server()) != 0) { }
$searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server()); else {
} $searchSuccess = false;
} $searchError = _('Unable to find the user name in LDAP.');
if (ldap_errno($searchLDAP->server()) != 0) {
$searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
}
}
if (!$searchSuccess) {
$error_message = $searchError;
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
$searchLDAP->close();
display_LoginPage($licenseValidator, $error_message);
exit();
} }
else {
$searchSuccess = false;
$searchError = _('Unable to find the user name in LDAP.');
if (ldap_errno($searchLDAP->server()) != 0) {
$searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
}
}
}
if (!$searchSuccess) {
$error_message = $searchError;
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
$searchLDAP->close(); $searchLDAP->close();
display_LoginPage($licenseValidator, $error_message);
exit();
} }
$searchLDAP->close(); catch (LAMException $e) {
$searchLDAP->close();
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage());
exit();
}
} }
// try to connect to LDAP // try to connect to LDAP
$result = $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifying username/password try {
if($result === 0) {// Username/password correct. Do some configuration and load main frame. $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifying username/password
$_SESSION['loggedIn'] = true; $_SESSION['loggedIn'] = true;
// set security settings for session // set security settings for session
$_SESSION['sec_session_id'] = session_id(); $_SESSION['sec_session_id'] = session_id();
@ -586,26 +589,10 @@ if(isset($_POST['checklogin'])) {
} }
die(); die();
} }
else { catch (LAMException $e) {
if (($result === False) display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage());
|| ($result == 81)) {
// connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
elseif ($result == 49) {
// user name/password invalid. Return to login page.
$error_message = _("Wrong password/user name combination. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (wrong password).');
}
else {
// other errors
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
display_LoginPage($licenseValidator, $error_message);
exit(); exit();
} }
} }
//displays the login window //displays the login window