Howto inform users about LDAP errors

Dont create your support topics here! No new topics with questions allowed!

Moderator: crythias

Forum rules
Dont create your support topics here! No new topics with questions allowed!
Post Reply
juanman80
Znuny newbie
Posts: 44
Joined: 11 Nov 2011, 10:30
Znuny Version: 5.0.15

Howto inform users about LDAP errors

Post by juanman80 »

Hi all,
Our OTRS is connected to an Active Directory server for Customer and Agent Authentication. The following is valid only for Microsoft Active Directory, as I think the error codes are not standardized between LDAP servers.
We wanted to show the user when the password is expired, for example, but not wanted to show all errors, because this would help an attacker to identify valid user accounts.
OTRS Customer and Agent login page shows an Info message prepared in the Auth module... but the Auth module never does it.
So, in order to prepare an Info message, we have to do the following:

1. Copy *Kernel/System/Auth/LDAP.pm* to **Custom/Kernel/System/Auth/LDAP.pm**
2. Edit Custom/Kernel/System/Auth/LDAP.pm and find the block

Code: Select all

     # bind with user data -> real user auth.
     $Result = $LDAP->bind( dn => $UserDN, password => $Param{Pw} );

     if ( $Result->code ) {
         [ ... ]
         return;
     }
3. Add, in this 'if' block, just before the return estatement, the following:

Code: Select all

        ######################
        ## Check LDAP Error ##
        ######################
        # Our LDAP server is Active Directory
        # check LDAP errors and display custom Info message
        # detected errors: 
            # expired password (532)
            # disabled account (533)
            # locked user (775)

        if ( $Result->error() =~ /LdapErr.*data\s*(\d+),.*$/ ){
            my $ADErrorCode = $1;
            my $InfoMessage;
            if ( $ADErrorCode == 532 ){
                $InfoMessage = 'Login failed! Your password has expired.';
            }
            elsif ( $ADErrorCode == 533){
                $InfoMessage = 'Login failed! Your account is disabled.';
            }
            elsif ( $ADErrorCode == 775){
                $InfoMessage = 'Login failed! Your username is locked.';
            }
            $Self->{LogObject}->Log( 
                Priority => "Info", 
                Message => $InfoMessage, 
            );
        }
        ##########
You should repeat these steps in **Custom/Kernel/System/CustomerAuth/LDAP.pm** for Customer Auth error display
OTRS 5.0.15 on CentOSLinux with MariaDB database connected to an Active Directory for Agents and Customers.
Post Reply