Better error message for login of users from other realms

When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=denied. Web UI responds with showing login dialog with following error message: 'Sorry you
are not allowed to access this service.'.

Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs.

https://fedorahosted.org/freeipa/ticket/3252

denied change

1 files changed, 9 insertions, 7 deletions

diff --git a/install/ui/login.js b/install/ui/login.js
index cd4e72d95..1fce8ecc5 100644
--- a/install/ui/login.js
+++ b/install/ui/login.js
@@ -35,8 +35,8 @@ LP.login = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired') {
-                result = 'expired';
+            if (reason === 'password-expired' || reason === 'denied') {
+                result = reason;
             }
         }
     }
@@ -70,12 +70,14 @@ LP.on_submit = function() {
 
     var result = LP.login(username, password);
 
+    $('.error-box').hide();
+
     if (result === 'invalid') {
-        $('#expired').css('display', 'none');
-        $('#invalid').css('display', 'block');
-    } else if (result === 'expired') {
-        $('#invalid').css('display', 'none');
-        $('#expired').css('display', 'block');
+        $('#invalid').show();
+    } else if (result === 'password-expired') {
+        $('#expired').show();
+    } else if(result === 'denied') {
+        $('#denied').show();
     } else {
         window.location = '/ipa/ui';
     }