Better error message for login of users from other realms

When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=denied. Web UI responds with showing login dialog with following error message: 'Sorry you are not allowed to access this service.'. Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs. https://fedorahosted.org/freeipa/ticket/3252 denied change
author: Petr Vobornik <pvoborni@redhat.com> 2012-11-14 09:35:03 +0100
committer: Petr Vobornik <pvoborni@redhat.com> 2012-12-06 17:02:03 +0100
commit: 8d892f442f27026ac7195f6d9720b6da046ff477 (patch)
tree: 31992b4581895b358aa0b2689d7496f7c4b31255
parent: e05a720b12ae9bf8a39fa3103bdd61dc065dface (diff)
download: freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.tar.gz
freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.tar.xz
freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.zip
3 files changed, 43 insertions, 12 deletions
diff --git a/install/ui/ipa.js b/install/ui/ipa.js
index e20d3c08a..a33fbfd5e 100644
--- a/install/ui/ipa.js
+++ b/install/ui/ipa.js
@@ -399,8 +399,8 @@ IPA.login_password = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired') {
-                result = 'expired';
+            if (reason === 'password-expired' || reason === 'denied') {
+                result = reason;
             }
         }
 
@@ -1701,6 +1701,8 @@ IPA.unauthorized_dialog = function(spec) {
 
     that.password_expired = "Your password has expired. Please enter a new password.";
 
+    that.denied = "Sorry you are not allowed to access this service.";
+
     that.create = function() {
 
         that.session_expired_form();
@@ -1816,6 +1818,16 @@ IPA.unauthorized_dialog = function(spec) {
     that.open = function() {
         that.dialog_open();
         that.show_session_form();
+        that.check_error_reason();
+    };
+
+    that.check_error_reason = function() {
+        if (this.xhr) {
+            var reason = this.xhr.getResponseHeader("X-IPA-Rejection-Reason");
+            if (reason) {
+                that.show_login_error_message(reason);
+            }
+        }
     };
 
     that.on_username_change = function() {
@@ -1858,6 +1870,20 @@ IPA.unauthorized_dialog = function(spec) {
         that.new_password_widget.focus_input();
     };
 
+    that.show_login_error_message = function(reason) {
+        var errors = {
+            'invalid': that.form_auth_failed,
+            'denied': that.denied
+        };
+
+        var message = errors[reason];
+
+        if (message) {
+            that.login_error_box.html(message);
+            that.login_error_box.css('display', 'block');
+        }
+    };
+
     that.on_login_keyup = function(event) {
 
         if (that.switching) {
@@ -1903,12 +1929,11 @@ IPA.unauthorized_dialog = function(spec) {
 
         if (result === 'success') {
             that.on_login_success();
-        } else if (result === 'expired') {
+        } else if (result === 'password-expired') {
             that.reset_error_box.css('display', 'none');
             that.show_reset_form();
         } else {
-            that.login_error_box.html(that.form_auth_failed);
-            that.login_error_box.css('display', 'block');
+            that.show_login_error_message(result);
         }
     };
 
diff --git a/install/ui/login.html b/install/ui/login.html
index 69e3dea7f..f279f027d 100644
--- a/install/ui/login.html
+++ b/install/ui/login.html
@@ -34,6 +34,10 @@
                 <p>If the problem persists, contact your administrator.</p>
             </div>
 
+            <div id="denied" class="error-box" style="display:none">
+                <p>Sorry you are not allowed to access this service.</p>
+            </div>
+
             <form id="login">
                 <ul>
                     <li>
diff --git a/install/ui/login.js b/install/ui/login.js
index cd4e72d95..1fce8ecc5 100644
--- a/install/ui/login.js
+++ b/install/ui/login.js
@@ -35,8 +35,8 @@ LP.login = function(username, password) {
 
             //change result from invalid only if we have a header which we
             //understand
-            if (reason === 'password-expired') {
-                result = 'expired';
+            if (reason === 'password-expired' || reason === 'denied') {
+                result = reason;
             }
         }
     }
@@ -70,12 +70,14 @@ LP.on_submit = function() {
 
     var result = LP.login(username, password);
 
+    $('.error-box').hide();
+
     if (result === 'invalid') {
-        $('#expired').css('display', 'none');
-        $('#invalid').css('display', 'block');
-    } else if (result === 'expired') {
-        $('#invalid').css('display', 'none');
-        $('#expired').css('display', 'block');
+        $('#invalid').show();
+    } else if (result === 'password-expired') {
+        $('#expired').show();
+    } else if(result === 'denied') {
+        $('#denied').show();
     } else {
         window.location = '/ipa/ui';
     }
author	Petr Vobornik <pvoborni@redhat.com>	2012-11-14 09:35:03 +0100
committer	Petr Vobornik <pvoborni@redhat.com>	2012-12-06 17:02:03 +0100
commit	8d892f442f27026ac7195f6d9720b6da046ff477 (patch)
tree	31992b4581895b358aa0b2689d7496f7c4b31255
parent	e05a720b12ae9bf8a39fa3103bdd61dc065dface (diff)
download	freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.tar.gz freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.tar.xz freeipa-8d892f442f27026ac7195f6d9720b6da046ff477.zip