WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

moved message

This commit is contained in:
Roland Gruber 2020-06-30 20:51:20 +02:00
parent d32d8d3a0d
commit e03cd1f57c
2 changed files with 31 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
lam/lib/account.inc
View File

@ -1521,6 +1521,36 @@ function getDefaultLDAPErrorString($server) {
return $message; return $message;
} }
/**
* Tries to get additional information why invalid credentials was returned. E.g. account is locked.
*
* @param handle $ldap LDAP object to connect for getting extra data
* @param string $userDn failed DN
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $userDn) {
$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($userDn, $attributes, $ldap);
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) {
return _('Account is locked');
}
if (!empty($userData['krbprincipalexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
return null;
}
/** /**
* Returns the URL under which the page was loaded. * Returns the URL under which the page was loaded.
* This includes any GET parameters set. * This includes any GET parameters set.

33
lam/templates/login.php
View File

@ -1,6 +1,5 @@
<?php <?php
namespace LAM\LOGIN; namespace LAM\LOGIN;
use DateTime;
use LAM\LIB\TWO_FACTOR\TwoFactorProviderService; use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
use \LAMConfig; use \LAMConfig;
use \LAMCfgMain; use \LAMCfgMain;
@ -602,7 +601,7 @@ if(isset($_POST['checklogin'])) {
catch (LAMException $e) { catch (LAMException $e) {
$extraMessage = null; $extraMessage = null;
if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) { if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username); $extraMessage = getExtraInvalidCredentialsMessage($searchLDAP->server(), $username);
$searchLDAP->close(); $searchLDAP->close();
} }
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage); display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
@ -610,36 +609,6 @@ if(isset($_POST['checklogin'])) {
} }
} }
/**
* Tries to get additional information why invalid credentials was returned. E.g. account is locked.
*
* @param Ldap $ldap LDAP object to connect for getting extra data
* @param string $username failed DN
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $username) {
$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($username, $attributes, $ldap->server());
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) {
return _('Account is locked');
}
if (!empty($userData['krbprincipalexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
return null;
}
//displays the login window //displays the login window
display_LoginPage($licenseValidator, $error_message); display_LoginPage($licenseValidator, $error_message);
?> ?>