summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--install/ui/src/freeipa/ipa.js7
-rw-r--r--install/ui/src/freeipa/widgets/LoginScreen.js13
-rw-r--r--ipalib/errors.py8
-rw-r--r--ipaserver/rpcserver.py13
4 files changed, 34 insertions, 7 deletions
diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
index 29af40487..e241ad30d 100644
--- a/install/ui/src/freeipa/ipa.js
+++ b/install/ui/src/freeipa/ipa.js
@@ -5,7 +5,7 @@
* John Dennis <jdennis@redhat.com>
* Petr Vobornik <pvoborni@redhat.com>
*
- * Copyright (C) 2010 Red Hat
+ * Copyright (C) 2010-2016 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software; you can redistribute it and/or modify
@@ -495,7 +495,10 @@ IPA.login_password = function(username, password) {
//change result from invalid only if we have a header which we
//understand
- if (reason === 'password-expired' || reason === 'denied') {
+ if (reason === 'password-expired' ||
+ reason === 'denied' ||
+ reason === 'krbprincipal-expired' ||
+ reason === 'invalid-password') {
result = reason;
}
}
diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js
index 17f891e0e..a9f70cce7 100644
--- a/install/ui/src/freeipa/widgets/LoginScreen.js
+++ b/install/ui/src/freeipa/widgets/LoginScreen.js
@@ -1,7 +1,7 @@
/* Authors:
* Petr Vobornik <pvoborni@redhat.com>
*
- * Copyright (C) 2013 Red Hat
+ * Copyright (C) 2013-2016 Red Hat
* see file 'COPYING' for use and warranty information
*
* This program is free software; you can redistribute it and/or modify
@@ -57,7 +57,7 @@ define(['dojo/_base/declare',
"<a href='http://${host}/ipa/config/unauthorized.html'>configured</a>" +
" the browser correctly, then click Login. ",
- form_auth_failed: "The password or username you entered is incorrect. ",
+ form_auth_failed: "Login failed due to an unknown reason. ",
krb_auth_failed: "Authentication with Kerberos failed",
@@ -67,6 +67,9 @@ define(['dojo/_base/declare',
denied: "Sorry you are not allowed to access this service.",
+ krbprincipal_expired: "Kerberos Principal you entered is expired.",
+
+ invalid_password: "The password you entered is incorrect. ",
//nodes:
login_btn_node: null,
@@ -231,6 +234,12 @@ define(['dojo/_base/declare',
} else if (result === 'password-expired') {
this.set('view', 'reset');
val_summary.add_info('login', this.password_expired);
+ } else if (result === 'krbprincipal-expired') {
+ password_f.set_value('');
+ val_summary.add_error('login', this.krbprincipal_expired);
+ } else if (result === 'invalid-password') {
+ password_f.set_value('');
+ val_summary.add_error('login', this.invalid_password);
} else {
password_f.set_value('');
val_summary.add_error('login', this.form_auth_failed);
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 2507e13dc..67ed2818f 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1,7 +1,7 @@
# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
#
-# Copyright (C) 2008 Red Hat
+# Copyright (C) 2008-2016 Red Hat
# see file 'COPYING' for use and warranty inmsgion
#
# This program is free software; you can redistribute it and/or modify
@@ -601,6 +601,12 @@ class PasswordExpired(InvalidSessionPassword):
"""
errno = 1202
+class KrbPrincipalExpired(SessionError):
+ """
+ **1203** Raised when Kerberos Principal is expired.
+ """
+ errno = 1203
+
##############################################################################
# 2000 - 2999: Authorization errors
class AuthorizationError(PublicError):
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 14796b978..96f82d5e2 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -1,7 +1,7 @@
# Authors:
# Jason Gerard DeRose <jderose@redhat.com>
#
-# Copyright (C) 2008 Red Hat
+# Copyright (C) 2008-2016 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
@@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES
from ipalib.backend import Executioner
from ipalib.errors import (PublicError, InternalError, CommandError, JSONError,
CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError,
- ExecutionError, PasswordExpired)
+ ExecutionError, PasswordExpired, KrbPrincipalExpired)
from ipalib.request import context, destroy_context
from ipalib.rpc import (xml_dumps, xml_loads,
json_encode_binary, json_decode_binary)
@@ -949,6 +949,11 @@ class login_password(Backend, KerberosSession, HTTP_Status):
return self.unauthorized(environ, start_response, str(e), 'password-expired')
except InvalidSessionPassword as e:
return self.unauthorized(environ, start_response, str(e), 'invalid-password')
+ except KrbPrincipalExpired as e:
+ return self.unauthorized(environ,
+ start_response,
+ str(e),
+ 'krbprincipal-expired')
return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response)
@@ -984,6 +989,10 @@ class login_password(Backend, KerberosSession, HTTP_Status):
if ('kinit: Cannot read password while '
'getting initial credentials') in str(e):
raise PasswordExpired(principal=principal, message=unicode(e))
+ elif ('kinit: Client\'s entry in database'
+ ' has expired while getting initial credentials') in str(e):
+ raise KrbPrincipalExpired(principal=principal,
+ message=unicode(e))
raise InvalidSessionPassword(principal=principal,
message=unicode(e))
generated by cgit (git 2.34.1) at 2024-09-22 14:16:12 +0000