better error messages on login

lam/lib/account.inc

@@ -1487,8 +1487,9 @@ function getDefaultLDAPErrorString($server) {
 		logNewMessage(LOG_DEBUG, 'Password change failed because of ' . $extError);
 		$extError = _('Your password does not meet the password strength qualifications. Please retry with another one.');
 	}
-	$message = _('LDAP error, server says:') . ' ' . ldap_error($server);
+	$genericErrorMessage = ldap_error($server);
-	if (!empty($extError)) {
+	$message = _('LDAP error, server says:') . ' ' . $genericErrorMessage;
+	if (!empty($extError) && ($genericErrorMessage != $extError)) {
 		$message .= ' - ' . $extError;
 	}
 	return $message;

lam/lib/ldap.inc

@@ -72,14 +72,14 @@ class Ldap{
 	 * @param string $user user name
 	 * @param string $passwd password
 	 * @param boolean $allowAnonymous specifies if anonymous binds are allowed
-	* @return mixed if connect succeeds the 0 is returned, else false or error number
+	 * @throws LAMException unable to connect
 	 */
 	public function connect($user, $passwd, $allowAnonymous=false) {
 		// close any prior connection
 		@$this->close();
 		// do not allow anonymous bind
 		if (!$allowAnonymous && ((!$user)||($user == "")||(!$passwd))) {
-			return false;
+			throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
 		}
 		// save password und username encrypted
 		$this->encrypt_login($user, $passwd);
@@ -94,18 +94,30 @@ class Ldap{
 			if ($bind) {
 				$return = ldap_errno($this->server);
 				$this->is_connected = true;
-				// return success number
+				return;
-				return $return;
 			}
 			// return error number
-			else {
+			$errorNumber = ldap_errno($this->server);
-				return ldap_errno($this->server);
+			$clientSource = empty($_SERVER['REMOTE_ADDR']) ? '' : $_SERVER['REMOTE_ADDR'];
+			if (($errorNumber === False)
+				|| ($errorNumber == 81)) {
+				// connection failed
+				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
+				throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
 			}
+			elseif ($errorNumber == 49) {
+				// user name/password invalid. Return to login page.
+				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server));
+				throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server));
 			}
 			else {
-			return false;
+				// other errors
+				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
+				throw new LAMException(_("LDAP error, server says:"),  "($errorNumber) " . getDefaultLDAPErrorString($this->server));
 			}
 		}
+		throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
+	}
 
 	/** Closes connection to server */
 	public function close() {
@@ -121,9 +133,14 @@ class Ldap{
 	*/
 	public function server() {
 		if (!$this->is_connected) {
+			try {
 				$this->connect($this->getUserName(), $this->getPassword());
 				$this->is_connected = true;
 			}
+			catch (LAMException $e) {
+				logNewMessage(LOG_ERR, $e->getTitle() . ' ' . $e->getMessage());
+			}
+		}
 		return $this->server;
 	}
 

lam/templates/login.php

@@ -11,6 +11,7 @@ use \htmlGroup;
 use \htmlInputCheckbox;
 use \htmlButton;
 use \htmlStatusMessage;
+use LAMException;
 use \Ldap;
 use \htmlResponsiveRow;
 use \htmlDiv;
@@ -170,12 +171,13 @@ $manifestUrl = preg_replace('/\\?.*/', '', $manifestUrl);
 $_SESSION['header'] .= '<link rel="manifest" href="' . $manifestUrl . '/templates/manifest.php" crossorigin="use-credentials">';
 
 /**
-* Displays the login window.
+ * Displays the login window.
-*
+ *
-* @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator
+ * @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator
-* @param string $error_message error message to display
+ * @param string $error_message error message to display
-*/
+ * @param string $errorDetails error details
-function display_LoginPage($licenseValidator, $error_message) {
+ */
+function display_LoginPage($licenseValidator, $error_message, $errorDetails = null) {
 	$config_object = $_SESSION['config'];
 	$cfgMain = $_SESSION["cfgMain"];
 	logNewMessage(LOG_DEBUG, "Display login page");
@@ -405,7 +407,7 @@ function display_LoginPage($licenseValidator, $error_message) {
 							// error message
 							if(!empty($error_message)) {
 								$row->add(new \htmlSpacer(null, '5px'), 12);
-								$message = new htmlStatusMessage('ERROR', $error_message);
+								$message = new htmlStatusMessage('ERROR', $error_message, $errorDetails);
 								$message->colspan = 3;
 								$row->add($message, 12);
 							}
@@ -506,7 +508,7 @@ if(isset($_POST['checklogin'])) {
 	// search user in LDAP if needed
 	if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
 		$searchFilter = $_SESSION['config']->getLoginSearchFilter();
-		$searchFilter = str_replace('%USER%', $username ,$searchFilter);
+		$searchFilter = str_replace('%USER%', $username, $searchFilter);
 		$searchDN = '';
 		$searchPassword = '';
 		$configLoginSearchDn = $_SESSION['config']->getLoginSearchDN();
@@ -517,12 +519,8 @@ if(isset($_POST['checklogin'])) {
 		$searchSuccess = true;
 		$searchError = '';
 		$searchLDAP = new Ldap($_SESSION['config']);
-		$searchLDAPResult = $searchLDAP->connect($searchDN, $searchPassword, true);
+		try {
-		if (! ($searchLDAPResult == 0)) {
+			$searchLDAP->connect($searchDN, $searchPassword, true);
-			$searchSuccess = false;
-			$searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . getDefaultLDAPErrorString($searchLDAP->server());
-		}
-		else {
             $searchResult = ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
             if ($searchResult) {
                 $searchInfo = ldap_get_entries($searchLDAP->server(), $searchResult);
@@ -555,7 +553,6 @@ if(isset($_POST['checklogin'])) {
                     $searchError .= ' ' . getDefaultLDAPErrorString($searchLDAP->server());
                 }
             }
-		}
 			if (!$searchSuccess) {
 				$error_message = $searchError;
 				logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
@@ -565,9 +562,15 @@ if(isset($_POST['checklogin'])) {
 			}
 			$searchLDAP->close();
 		}
+        catch (LAMException $e) {
+	        $searchLDAP->close();
+	        display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage());
+	        exit();
+        }
+	}
 	// try to connect to LDAP
-	$result = $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifying username/password
+    try {
-	if($result === 0) {// Username/password correct. Do some configuration and load main frame.
+	    $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifying username/password
 		$_SESSION['loggedIn'] = true;
 		// set security settings for session
 		$_SESSION['sec_session_id'] = session_id();
@@ -586,24 +589,8 @@ if(isset($_POST['checklogin'])) {
 		}
 		die();
 	}
-	else {
+	catch (LAMException $e) {
-		if (($result === False)
+		display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage());
-				|| ($result == 81)) {
-			// connection failed
-			$error_message = _("Cannot connect to specified LDAP server. Please try again.");
-			logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
-		}
-		elseif ($result == 49) {
-			// user name/password invalid. Return to login page.
-			$error_message = _("Wrong password/user name combination. Please try again.");
-			logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (wrong password).');
-		}
-		else {
-			// other errors
-			$error_message = _("LDAP error, server says:") .  "\n<br>($result) " . ldap_err2str($result);
-			logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
-		}
-		display_LoginPage($licenseValidator, $error_message);
 		exit();
     }
 }