Browse Source

enhanced error messages

pull/102/head
Roland Gruber 3 years ago
parent
commit
f75f813a9a
  1. 2
      lam/lib/ldap.inc
  2. 25
      lam/templates/login.php

2
lam/lib/ldap.inc

@ -112,7 +112,7 @@ class Ldap{
else {
// other errors
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber);
throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."), "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber);
}
}
throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));

25
lam/templates/login.php

@ -1,5 +1,6 @@
<?php
namespace LAM\LOGIN;
use DateTime;
use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
use \LAMConfig;
use \LAMCfgMain;
@ -598,6 +599,7 @@ if(isset($_POST['checklogin'])) {
$extraMessage = null;
if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username);
$searchLDAP->close();
}
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
exit();
@ -612,13 +614,26 @@ if(isset($_POST['checklogin'])) {
* @return string extra message
*/
function getExtraInvalidCredentialsMessage($ldap, $username) {
$extraMessage = null;
$userData = ldapGetDN($username, array('dn', 'pwdaccountlockedtime'), $ldap->server());
$attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($username, $attributes, $ldap->server());
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) {
$extraMessage = _('Account is locked');
return _('Account is locked');
}
if (!empty($userData['krbprincipalexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
$ldap->close();
return $extraMessage;
return null;
}
//displays the login window

Loading…
Cancel
Save