#7078 Logging in to web UI with AD credentials without an ID view fails without meaningful error message
Opened 2 years ago by phemmer. Modified 2 years ago

When attempting to log into the FreeIPA web UI using an AD account does not present a helpful error message indicating where the problem may lie.
On the first login attempt the user is presented with the message Your session has expired. Please re-login.. As a normal user I would see this and try again as the message is instructing me to. However on all future attempts no message at all is presented. It simply drops the user back to the login screen.
The server logs aren't very helpful either as the only thing in the httpd error log is [wsgi:error] [pid 4909] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials, which is incorrect as the credentials are valid, just not authorized.

While a better server-side error would be nice, the main issue is the lack of an error being presented to the user. Even a basic "unauthorized" message would be sufficient.

This is with FreeIPA 4.5.2 on Fedora 25

This is caused by following:

1) Ticket is obtained corretly -> endpoint login_password returns 200 -> No error shown

2) first API call fails -> 401 ... we do not handle this on login page, therefore it cannot read error message from response and shows nothing.

Possible solution would be to switch out from login page and show IPA error dialog as usually.

Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7

2 years ago

Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)

2 years ago

FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone

Login to comment on this ticket.