From e03cd1f57cc151af008aeba4ce693bc5e5c1a72f Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Tue, 30 Jun 2020 20:51:20 +0200
Subject: [PATCH] moved message

---
 lam/lib/account.inc     | 30 ++++++++++++++++++++++++++++++
 lam/templates/login.php | 33 +--------------------------------
 2 files changed, 31 insertions(+), 32 deletions(-)

diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index 727dcd36..e0659c91 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -1521,6 +1521,36 @@ function getDefaultLDAPErrorString($server) {
 	return $message;
 }
 
+/**
+ * Tries to get additional information why invalid credentials was returned. E.g. account is locked.
+ *
+ * @param handle $ldap LDAP object to connect for getting extra data
+ * @param string $userDn failed DN
+ * @return string extra message
+ */
+function getExtraInvalidCredentialsMessage($ldap, $userDn) {
+	$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
+		'krbpasswordexpiration', 'passwordexpirationtime');
+	$userData = ldapGetDN($userDn, $attributes, $ldap);
+	$now = new DateTime('now', getTimeZone());
+	if (!empty($userData['pwdaccountlockedtime'][0])) {
+		return _('Account is locked');
+	}
+	if (!empty($userData['krbprincipalexpiration'][0])) {
+		$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
+		if ($now >= $kerberosExpirationDate) {
+			return _('Kerberos account is expired');
+		}
+	}
+	if (!empty($userData['krbpasswordexpiration'][0])) {
+		$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
+		if ($now >= $kerberosExpirationDate) {
+			return _('Kerberos password is expired');
+		}
+	}
+	return null;
+}
+
 /**
  * Returns the URL under which the page was loaded.
  * This includes any GET parameters set.
diff --git a/lam/templates/login.php b/lam/templates/login.php
index 9f94a2be..e0867f21 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -1,6 +1,5 @@
 <?php
 namespace LAM\LOGIN;
-use DateTime;
 use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 use \LAMConfig;
 use \LAMCfgMain;
@@ -602,7 +601,7 @@ if(isset($_POST['checklogin'])) {
 	catch (LAMException $e) {
 		$extraMessage = null;
 		if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
-			$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username);
+			$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP->server(), $username);
 			$searchLDAP->close();
 		}
 		display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
@@ -610,36 +609,6 @@ if(isset($_POST['checklogin'])) {
     }
 }
 
-/**
- * Tries to get additional information why invalid credentials was returned. E.g. account is locked.
- * 
- * @param Ldap $ldap LDAP object to connect for getting extra data
- * @param string $username failed DN
- * @return string extra message
- */
-function getExtraInvalidCredentialsMessage($ldap, $username) {
-    $attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
-        'krbpasswordexpiration', 'passwordexpirationtime');
-	$userData = ldapGetDN($username, $attributes, $ldap->server());
-	$now = new DateTime('now', getTimeZone());
-	if (!empty($userData['pwdaccountlockedtime'][0])) {
-		return _('Account is locked');
-	}
-	if (!empty($userData['krbprincipalexpiration'][0])) {
-		$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
-		if ($now >= $kerberosExpirationDate) {
-			return _('Kerberos account is expired');
-		}
-	}
-	if (!empty($userData['krbpasswordexpiration'][0])) {
-		$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
-		if ($now >= $kerberosExpirationDate) {
-			return _('Kerberos password is expired');
-		}
-	}
-	return null;
-}
-
 //displays the login window
 display_LoginPage($licenseValidator, $error_message);
 ?>