From f75f813a9af1695fe4f55343c1156111b3e83739 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sun, 28 Jun 2020 11:16:37 +0200
Subject: [PATCH] enhanced error messages

---
 lam/lib/ldap.inc        |  2 +-
 lam/templates/login.php | 25 ++++++++++++++++++++-----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/lam/lib/ldap.inc b/lam/lib/ldap.inc
index 41d007e3..0ea1af4f 100644
--- a/lam/lib/ldap.inc
+++ b/lam/lib/ldap.inc
@@ -112,7 +112,7 @@ class Ldap{
 			else {
 				// other errors
 				logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
-				throw new LAMException(_("LDAP error, server says:"),  "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber);
+				throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."),  "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber);
 			}
 		}
 		throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));
diff --git a/lam/templates/login.php b/lam/templates/login.php
index d55f5c5b..f074ee81 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -1,5 +1,6 @@
 <?php
 namespace LAM\LOGIN;
+use DateTime;
 use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
 use \LAMConfig;
 use \LAMCfgMain;
@@ -598,6 +599,7 @@ if(isset($_POST['checklogin'])) {
 		$extraMessage = null;
 		if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
 			$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username);
+			$searchLDAP->close();
 		}
 		display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
 		exit();
@@ -612,13 +614,26 @@ if(isset($_POST['checklogin'])) {
  * @return string extra message
  */
 function getExtraInvalidCredentialsMessage($ldap, $username) {
-	$extraMessage = null;
-	$userData = ldapGetDN($username, array('dn', 'pwdaccountlockedtime'), $ldap->server());
+    $attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
+        'krbpasswordexpiration', 'passwordexpirationtime');
+	$userData = ldapGetDN($username, $attributes, $ldap->server());
+	$now = new DateTime('now', getTimeZone());
 	if (!empty($userData['pwdaccountlockedtime'][0])) {
-		$extraMessage = _('Account is locked');
+		return _('Account is locked');
 	}
-	$ldap->close();
-	return $extraMessage;
+	if (!empty($userData['krbprincipalexpiration'][0])) {
+		$kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
+		if ($now >= $kerberosExpirationDate) {
+			return _('Kerberos account is expired');
+		}
+	}
+	if (!empty($userData['krbpasswordexpiration'][0])) {
+		$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
+		if ($now >= $kerberosExpirationDate) {
+			return _('Kerberos password is expired');
+		}
+	}
+	return null;
 }
 
 //displays the login window