Our OTRS is connected to an Active Directory server for Customer and Agent Authentication. The following is valid only for Microsoft Active Directory, as I think the error codes are not standardized between LDAP servers.
We wanted to show the user when the password is expired, for example, but not wanted to show all errors, because this would help an attacker to identify valid user accounts.
OTRS Customer and Agent login page shows an Info message prepared in the Auth module... but the Auth module never does it.
So, in order to prepare an Info message, we have to do the following:
1. Copy *Kernel/System/Auth/LDAP.pm* to **Custom/Kernel/System/Auth/LDAP.pm**
2. Edit Custom/Kernel/System/Auth/LDAP.pm and find the block
Code: Select all
# bind with user data -> real user auth.
$Result = $LDAP->bind( dn => $UserDN, password => $Param{Pw} );
if ( $Result->code ) {
[ ... ]
return;
}
Code: Select all
######################
## Check LDAP Error ##
######################
# Our LDAP server is Active Directory
# check LDAP errors and display custom Info message
# detected errors:
# expired password (532)
# disabled account (533)
# locked user (775)
if ( $Result->error() =~ /LdapErr.*data\s*(\d+),.*$/ ){
my $ADErrorCode = $1;
my $InfoMessage;
if ( $ADErrorCode == 532 ){
$InfoMessage = 'Login failed! Your password has expired.';
}
elsif ( $ADErrorCode == 533){
$InfoMessage = 'Login failed! Your account is disabled.';
}
elsif ( $ADErrorCode == 775){
$InfoMessage = 'Login failed! Your username is locked.';
}
$Self->{LogObject}->Log(
Priority => "Info",
Message => $InfoMessage,
);
}
##########