From 30137fe5167c9548ed58addece4bb394807508ec Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Dec 06 2012 16:03:33 +0000 Subject: Better error message for login of users from other realms When user from other realm than FreeIPA's tries to use Web UI (login via forms-based auth or with valid trusted realm ticket), he gets an unauthorized error with X-Ipa-Rejection-Reason=denied. Web UI responds with showing login dialog with following error message: 'Sorry you are not allowed to access this service.'. Note: such users are not supported because they don't have a corresponding entry in LDAP which is needed for ACLs. https://fedorahosted.org/freeipa/ticket/3252 denied change --- diff --git a/install/ui/ipa.js b/install/ui/ipa.js index e20d3c0..a33fbfd 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -399,8 +399,8 @@ IPA.login_password = function(username, password) { //change result from invalid only if we have a header which we //understand - if (reason === 'password-expired') { - result = 'expired'; + if (reason === 'password-expired' || reason === 'denied') { + result = reason; } } @@ -1701,6 +1701,8 @@ IPA.unauthorized_dialog = function(spec) { that.password_expired = "Your password has expired. Please enter a new password."; + that.denied = "Sorry you are not allowed to access this service."; + that.create = function() { that.session_expired_form(); @@ -1816,6 +1818,16 @@ IPA.unauthorized_dialog = function(spec) { that.open = function() { that.dialog_open(); that.show_session_form(); + that.check_error_reason(); + }; + + that.check_error_reason = function() { + if (this.xhr) { + var reason = this.xhr.getResponseHeader("X-IPA-Rejection-Reason"); + if (reason) { + that.show_login_error_message(reason); + } + } }; that.on_username_change = function() { @@ -1858,6 +1870,20 @@ IPA.unauthorized_dialog = function(spec) { that.new_password_widget.focus_input(); }; + that.show_login_error_message = function(reason) { + var errors = { + 'invalid': that.form_auth_failed, + 'denied': that.denied + }; + + var message = errors[reason]; + + if (message) { + that.login_error_box.html(message); + that.login_error_box.css('display', 'block'); + } + }; + that.on_login_keyup = function(event) { if (that.switching) { @@ -1903,12 +1929,11 @@ IPA.unauthorized_dialog = function(spec) { if (result === 'success') { that.on_login_success(); - } else if (result === 'expired') { + } else if (result === 'password-expired') { that.reset_error_box.css('display', 'none'); that.show_reset_form(); } else { - that.login_error_box.html(that.form_auth_failed); - that.login_error_box.css('display', 'block'); + that.show_login_error_message(result); } }; diff --git a/install/ui/login.html b/install/ui/login.html index 69e3dea..f279f02 100644 --- a/install/ui/login.html +++ b/install/ui/login.html @@ -34,6 +34,10 @@

If the problem persists, contact your administrator.

+ +