moved message

This commit is contained in:
Roland Gruber 2020-06-30 20:51:20 +02:00
parent d32d8d3a0d
commit e03cd1f57c
2 changed files with 31 additions and 32 deletions

View File

@ -1521,6 +1521,36 @@ function getDefaultLDAPErrorString($server) {
return $message;
}
/**
* Tries to get additional information why invalid credentials was returned. E.g. account is locked.
*
* @param handle $ldap LDAP object to connect for getting extra data
* @param string $userDn failed DN
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $userDn) {
$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($userDn, $attributes, $ldap);
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) {
return _('Account is locked');
}
if (!empty($userData['krbprincipalexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
return null;
}
/**
* Returns the URL under which the page was loaded.
* This includes any GET parameters set.

View File

@ -1,6 +1,5 @@
<?php
namespace LAM\LOGIN;
use DateTime;
use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
use \LAMConfig;
use \LAMCfgMain;
@ -602,7 +601,7 @@ if(isset($_POST['checklogin'])) {
catch (LAMException $e) {
$extraMessage = null;
if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username);
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP->server(), $username);
$searchLDAP->close();
}
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
@ -610,36 +609,6 @@ if(isset($_POST['checklogin'])) {
}
}
/**
* Tries to get additional information why invalid credentials was returned. E.g. account is locked.
*
* @param Ldap $ldap LDAP object to connect for getting extra data
* @param string $username failed DN
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $username) {
$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($username, $attributes, $ldap->server());
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) {
return _('Account is locked');
}
if (!empty($userData['krbprincipalexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
return null;
}
//displays the login window
display_LoginPage($licenseValidator, $error_message);
?>