When attempting to log into the FreeIPA web UI using an AD account does not present a helpful error message indicating where the problem may lie.
On the first login attempt the user is presented with the message Your session has expired. Please re-login.. As a normal user I would see this and try again as the message is instructing me to. However on all future attempts no message at all is presented. It simply drops the user back to the login screen.
The server logs aren't very helpful either as the only thing in the httpd error log is [wsgi:error] [pid 4909] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials, which is incorrect as the credentials are valid, just not authorized.
Your session has expired. Please re-login.
[wsgi:error] [pid 4909] ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
While a better server-side error would be nice, the main issue is the lack of an error being presented to the user. Even a basic "unauthorized" message would be sufficient.
This is with FreeIPA 4.5.2 on Fedora 25
This is caused by following:
1) Ticket is obtained corretly -> endpoint login_password returns 200 -> No error shown
2) first API call fails -> 401 ... we do not handle this on login page, therefore it cannot read error message from response and shows nothing.
Possible solution would be to switch out from login page and show IPA error dialog as usually.
Metadata Update from @pvoborni:
- Issue set to the milestone: FreeIPA 4.7
Metadata Update from @rcritten:
- Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
to comment on this ticket.