Browse Source

moved message

pull/102/head
Roland Gruber 3 years ago
parent
commit
e03cd1f57c
  1. 30
      lam/lib/account.inc
  2. 33
      lam/templates/login.php

30
lam/lib/account.inc

@ -1521,6 +1521,36 @@ function getDefaultLDAPErrorString($server) {
return $message;
}
/**
* Tries to get additional information why invalid credentials was returned. E.g. account is locked.
*
* @param handle $ldap LDAP object to connect for getting extra data
* @param string $userDn failed DN
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $userDn) {
$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($userDn, $attributes, $ldap);
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) {
return _('Account is locked');
}
if (!empty($userData['krbprincipalexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
return null;
}
/**
* Returns the URL under which the page was loaded.
* This includes any GET parameters set.

33
lam/templates/login.php

@ -1,6 +1,5 @@
<?php
namespace LAM\LOGIN;
use DateTime;
use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
use \LAMConfig;
use \LAMCfgMain;
@ -602,7 +601,7 @@ if(isset($_POST['checklogin'])) {
catch (LAMException $e) {
$extraMessage = null;
if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username);
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP->server(), $username);
$searchLDAP->close();
}
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
@ -610,36 +609,6 @@ if(isset($_POST['checklogin'])) {
}
}
/**
* Tries to get additional information why invalid credentials was returned. E.g. account is locked.
*
* @param Ldap $ldap LDAP object to connect for getting extra data
* @param string $username failed DN
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $username) {
$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($username, $attributes, $ldap->server());
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) {
return _('Account is locked');
}
if (!empty($userData['krbprincipalexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
return null;
}
//displays the login window
display_LoginPage($licenseValidator, $error_message);
?>
Loading…
Cancel
Save