diff --git a/lam/lib/account.inc b/lam/lib/account.inc index 1d53eb3a..928bd33d 100644 --- a/lam/lib/account.inc +++ b/lam/lib/account.inc @@ -1770,6 +1770,8 @@ function isDeveloperVersion($version) { class LAMException extends Exception { private $title; + + private $ldapErrorCode; /** * Constructor. @@ -1777,10 +1779,12 @@ class LAMException extends Exception { * @param string $title title * @param string $message message (optional) * @param Exception $cause (optional) + * @param int $ldapErrorCode original LDAP error code */ - public function __construct($title, $message = null, $cause = null) { + public function __construct($title, $message = null, $cause = null, $ldapErrorCode = null) { parent::__construct($message, null, $cause); $this->title = $title; + $this->ldapErrorCode = $ldapErrorCode; } /** @@ -1792,6 +1796,15 @@ class LAMException extends Exception { return $this->title; } + /** + * Returns the original LDAP error code. + * + * @return int error code + */ + public function getLdapErrorCode() { + return $this->ldapErrorCode; + } + } ?> diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc index 5c7db093..41d007e3 100644 --- a/lam/lib/ldap.inc +++ b/lam/lib/ldap.inc @@ -92,7 +92,6 @@ class Ldap{ ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals); $bind = @ldap_bind($this->server, $user, $passwd); if ($bind) { - $return = ldap_errno($this->server); $this->is_connected = true; return; } @@ -103,17 +102,17 @@ class Ldap{ || ($errorNumber == 81)) { // connection failed logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').'); - throw new LAMException(_("Cannot connect to specified LDAP server. Please try again.")); + throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."), null, null, $errorNumber); } elseif ($errorNumber == 49) { // user name/password invalid. Return to login page. logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server)); - throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server)); + throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server), null, $errorNumber); } else { // other errors logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').'); - throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server)); + throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber); } } throw new LAMException(_("Cannot connect to specified LDAP server. Please try again.")); @@ -122,6 +121,7 @@ class Ldap{ /** Closes connection to server */ public function close() { if ($this->server != null) { + $this->is_connected = false; @ldap_close($this->server); } } diff --git a/lam/templates/login.php b/lam/templates/login.php index ffabc7fe..d2b933ff 100644 --- a/lam/templates/login.php +++ b/lam/templates/login.php @@ -178,8 +178,9 @@ setlanguage(); // setting correct language * @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator * @param string $error_message error message to display * @param string $errorDetails error details + * @param string $extraMessage extra message that is shown as info */ -function display_LoginPage($licenseValidator, $error_message, $errorDetails = null) { +function display_LoginPage($licenseValidator, $error_message, $errorDetails = null, $extraMessage = null) { $config_object = $_SESSION['config']; $cfgMain = $_SESSION["cfgMain"]; logNewMessage(LOG_DEBUG, "Display login page"); @@ -405,12 +406,15 @@ function display_LoginPage($licenseValidator, $error_message, $errorDetails = nu $row->add(new htmlSpacer(null, '20px'), 12); $row->add(new htmlButton('checklogin', _("Login")), 12); // error message - if(!empty($error_message)) { + if (!empty($error_message)) { $row->add(new \htmlSpacer(null, '5px'), 12); $message = new htmlStatusMessage('ERROR', $error_message, $errorDetails); - $message->colspan = 3; $row->add($message, 12); } + if (!empty($extraMessage)) { + $extraMessage = new htmlStatusMessage('INFO', $extraMessage); + $row->add($extraMessage, 12); + } parseHtml(null, $row, array(), false, $tabindex, 'user'); ?> @@ -590,12 +594,32 @@ if(isset($_POST['checklogin'])) { die(); } catch (LAMException $e) { - - display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage()); + $extraMessage = null; + if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) { + $extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username); + } + display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage); exit(); } } +/** + * Tries to get additional information why invalid credentials was returned. E.g. account is locked. + * + * @param Ldap $ldap LDAP object to connect for getting extra data + * @param string $username failed DN + * @return string extra message + */ +function getExtraInvalidCredentialsMessage($ldap, $username) { + $extraMessage = null; + $userData = ldapGetDN($username, array('dn', 'pwdaccountlockedtime'), $ldap->server()); + if (!empty($userData['pwdaccountlockedtime'][0])) { + $extraMessage = _('Account is locked'); + } + $ldap->close(); + return $extraMessage; +} + //displays the login window display_LoginPage($licenseValidator, $error_message); ?>