WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

show info if login failed and account can be determined as locked

This commit is contained in:
Roland Gruber 2020-06-21 21:33:43 +02:00
parent 38cbfb9dab
commit 780daded11
3 changed files with 47 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
lam/lib/account.inc
View File

@ -1770,6 +1770,8 @@ function isDeveloperVersion($version) {
class LAMException extends Exception { class LAMException extends Exception {
private $title; private $title;
private $ldapErrorCode;
/** /**
* Constructor. * Constructor.
@ -1777,10 +1779,12 @@ class LAMException extends Exception {
* @param string $title title * @param string $title title
* @param string $message message (optional) * @param string $message message (optional)
* @param Exception $cause (optional) * @param Exception $cause (optional)
* @param int $ldapErrorCode original LDAP error code
*/ */
public function __construct($title, $message = null, $cause = null) { public function __construct($title, $message = null, $cause = null, $ldapErrorCode = null) {
parent::__construct($message, null, $cause); parent::__construct($message, null, $cause);
$this->title = $title; $this->title = $title;
$this->ldapErrorCode = $ldapErrorCode;
} }
/** /**
@ -1792,6 +1796,15 @@ class LAMException extends Exception {
return $this->title; return $this->title;
} }
/**
* Returns the original LDAP error code.
*
* @return int error code
*/
public function getLdapErrorCode() {
return $this->ldapErrorCode;
}
} }
?> ?>

8
lam/lib/ldap.inc
View File

@ -92,7 +92,6 @@ class Ldap{
ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals); ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals);
$bind = @ldap_bind($this->server, $user, $passwd); $bind = @ldap_bind($this->server, $user, $passwd);
if ($bind) { if ($bind) {
$return = ldap_errno($this->server);
$this->is_connected = true; $this->is_connected = true;
return; return;
} }
@ -103,17 +102,17 @@ class Ldap{
|| ($errorNumber == 81)) { || ($errorNumber == 81)) {
// connection failed // connection failed
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').'); logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
throw new LAMException(_("Cannot connect to specified LDAP server. Please try again.")); throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."), null, null, $errorNumber);
} }
elseif ($errorNumber == 49) { elseif ($errorNumber == 49) {
// user name/password invalid. Return to login page. // user name/password invalid. Return to login page.
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server)); logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (wrong password). ' . getDefaultLDAPErrorString($this->server));
throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server)); throw new LAMException(_("Wrong password/user name combination. Please try again."), getDefaultLDAPErrorString($this->server), null, $errorNumber);
} }
else { else {
// other errors // other errors
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').'); logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server)); throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber);
} }
} }
throw new LAMException(_("Cannot connect to specified LDAP server. Please try again.")); throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
@ -122,6 +121,7 @@ class Ldap{
/** Closes connection to server */ /** Closes connection to server */
public function close() { public function close() {
if ($this->server != null) { if ($this->server != null) {
$this->is_connected = false;
@ldap_close($this->server); @ldap_close($this->server);
} }
} }

34
lam/templates/login.php
View File

@ -178,8 +178,9 @@ setlanguage(); // setting correct language
* @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator * @param \LAM\ENV\LAMLicenseValidator $licenseValidator license validator
* @param string $error_message error message to display * @param string $error_message error message to display
* @param string $errorDetails error details * @param string $errorDetails error details
* @param string $extraMessage extra message that is shown as info
*/ */
function display_LoginPage($licenseValidator, $error_message, $errorDetails = null) { function display_LoginPage($licenseValidator, $error_message, $errorDetails = null, $extraMessage = null) {
$config_object = $_SESSION['config']; $config_object = $_SESSION['config'];
$cfgMain = $_SESSION["cfgMain"]; $cfgMain = $_SESSION["cfgMain"];
logNewMessage(LOG_DEBUG, "Display login page"); logNewMessage(LOG_DEBUG, "Display login page");
@ -405,12 +406,15 @@ function display_LoginPage($licenseValidator, $error_message, $errorDetails = nu
$row->add(new htmlSpacer(null, '20px'), 12); $row->add(new htmlSpacer(null, '20px'), 12);
$row->add(new htmlButton('checklogin', _("Login")), 12); $row->add(new htmlButton('checklogin', _("Login")), 12);
// error message // error message
if(!empty($error_message)) { if (!empty($error_message)) {
$row->add(new \htmlSpacer(null, '5px'), 12); $row->add(new \htmlSpacer(null, '5px'), 12);
$message = new htmlStatusMessage('ERROR', $error_message, $errorDetails); $message = new htmlStatusMessage('ERROR', $error_message, $errorDetails);
$message->colspan = 3;
$row->add($message, 12); $row->add($message, 12);
} }
if (!empty($extraMessage)) {
$extraMessage = new htmlStatusMessage('INFO', $extraMessage);
$row->add($extraMessage, 12);
}
parseHtml(null, $row, array(), false, $tabindex, 'user'); parseHtml(null, $row, array(), false, $tabindex, 'user');
?> ?>
@ -590,12 +594,32 @@ if(isset($_POST['checklogin'])) {
die(); die();
} }
catch (LAMException $e) { catch (LAMException $e) {
$extraMessage = null;
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage()); if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username);
}
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
exit(); exit();
} }
} }
/**
* Tries to get additional information why invalid credentials was returned. E.g. account is locked.
*
* @param Ldap $ldap LDAP object to connect for getting extra data
* @param string $username failed DN
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $username) {
$extraMessage = null;
$userData = ldapGetDN($username, array('dn', 'pwdaccountlockedtime'), $ldap->server());
if (!empty($userData['pwdaccountlockedtime'][0])) {
$extraMessage = _('Account is locked');
}
$ldap->close();
return $extraMessage;
}
//displays the login window //displays the login window
display_LoginPage($licenseValidator, $error_message); display_LoginPage($licenseValidator, $error_message);
?> ?>