Display authentication error on login form with Combination Kerberos + LDAP
I have an issue similar to #1984 (closed) caused by the fix of #1867 (closed)
I use a configuration with Combination with Kerberos + LDAP as authentication stack. The user does not have Kerberos ticket so he uses only the login form. If authentication fails, the error message is displayed on error page, not login page.
I tried this patch:
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
index a058e3ef3..44dbb6649 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm
@@ -264,6 +264,7 @@ sub display {
or ( $self->conf->{authentication} eq 'Combination'
and $req->{error} > PE_OK
and $req->{error} != PE_FIRSTACCESS
+ and $req->{error} != PE_BADCREDENTIALS
and $req->{error} != PE_PP_PASSWORD_EXPIRED )
# and ( $req->{error} == PE_TOKENEXPIRED or $req->{error} == PE_NOTOKEN )
It works well if the user login is correct and the password is incorrect, because the error is called in LDAP authentication backend and the call to setSecurity succeed. When the user login is incorrect, the error occurs in UserDB LDAP module, where we call this to load security token:
unless ( $req->data->{ldapentry} = $mesg->entry(0) ) {
$self->userLogger->warn("$req->{user} was not found in LDAP directory");
eval { $self->p->_authentication->setSecurity($req) };
return PE_BADCREDENTIALS;
}
Problem, I don't see where $self->p->_authentication
is set in our code. It seems we have some loop:
- In Lemonldap/NG/Portal/Main/Process.pm, in sub setSessionInfo, $req->{sessionInfo}->{_auth} is filled by calling getModule
- In Lemonldap/NG/Portal/Main/Run.pm, in sub getModule, we call the sub name of the authentication module, which is Combination at this step
- In Lemonldap/NG/Portal/Auth/Combination.pm, in sub name, we read the value of $req->{sessionInfo}->{_auth}
Any idea is welcomed.