WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

enhanced error messages

This commit is contained in:
Roland Gruber 2020-06-28 11:16:37 +02:00
parent 87986e93cc
commit f75f813a9a
2 changed files with 21 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lam/lib/ldap.inc
View File

@ -112,7 +112,7 @@ class Ldap{
else { else {
// other errors // other errors
logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').'); logNewMessage(LOG_ERR, 'User ' . $user . ' (' . $clientSource . ') failed to log in (LDAP error: ' . getDefaultLDAPErrorString($this->server) . ').');
throw new LAMException(_("LDAP error, server says:"), "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber); throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."), "($errorNumber) " . getDefaultLDAPErrorString($this->server), null, $errorNumber);
} }
} }
throw new LAMException(_("Cannot connect to specified LDAP server. Please try again.")); throw new LAMException(_("Cannot connect to specified LDAP server. Please try again."));

25
lam/templates/login.php
View File

@ -1,5 +1,6 @@
<?php <?php
namespace LAM\LOGIN; namespace LAM\LOGIN;
use DateTime;
use LAM\LIB\TWO_FACTOR\TwoFactorProviderService; use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
use \LAMConfig; use \LAMConfig;
use \LAMCfgMain; use \LAMCfgMain;
@ -598,6 +599,7 @@ if(isset($_POST['checklogin'])) {
$extraMessage = null; $extraMessage = null;
if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) { if (($searchLDAP !== null) && ($e->getLdapErrorCode() == 49)) {
$extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username); $extraMessage = getExtraInvalidCredentialsMessage($searchLDAP, $username);
$searchLDAP->close();
} }
display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage); display_LoginPage($licenseValidator, $e->getTitle(), $e->getMessage(), $extraMessage);
exit(); exit();
@ -612,13 +614,26 @@ if(isset($_POST['checklogin'])) {
* @return string extra message * @return string extra message
*/ */
function getExtraInvalidCredentialsMessage($ldap, $username) { function getExtraInvalidCredentialsMessage($ldap, $username) {
$extraMessage = null; $attributes = array('dn', 'pwdaccountlockedtime', 'krbprincipalexpiration',
$userData = ldapGetDN($username, array('dn', 'pwdaccountlockedtime'), $ldap->server()); 'krbpasswordexpiration', 'passwordexpirationtime');
$userData = ldapGetDN($username, $attributes, $ldap->server());
$now = new DateTime('now', getTimeZone());
if (!empty($userData['pwdaccountlockedtime'][0])) { if (!empty($userData['pwdaccountlockedtime'][0])) {
$extraMessage = _('Account is locked'); return _('Account is locked');
} }
$ldap->close(); if (!empty($userData['krbprincipalexpiration'][0])) {
return $extraMessage; $kerberosExpirationDate = parseLDAPTimestamp($userData['krbprincipalexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos account is expired');
}
}
if (!empty($userData['krbpasswordexpiration'][0])) {
$kerberosExpirationDate = parseLDAPTimestamp($userData['krbpasswordexpiration'][0]);
if ($now >= $kerberosExpirationDate) {
return _('Kerberos password is expired');
}
}
return null;
} }
//displays the login window //displays the login window