Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

connectors/ldap: treat 'constraint violation' on bind as bad credentials #1285

Merged
merged 1 commit into from
Sep 5, 2018
Merged

connectors/ldap: treat 'constraint violation' on bind as bad credentials #1285

merged 1 commit into from
Sep 5, 2018

Conversation

srenatus
Copy link
Contributor

@srenatus srenatus commented Sep 4, 2018

Some directory servers (I think it's Oracle) return

Constraint Violation: Exceed password retry limit. Account locked.

when attempting to login too many times. While constraint violation can
mean many things, we're checking this as an error on BIND, so it's
more likely that something like this has happened than any other thing.

Hence, we should treat it as an "incorrect password" situation, not an
internal error.

It would of course be preferrable to surface more information about this
precise error (and similar ones), but I think this is beyond this small
change.

(This is some prior art: vesse/passport-ldapauth#21 )

@srenatus srenatus self-assigned this Sep 4, 2018
ericchiang
ericchiang approved these changes Sep 4, 2018
View reviewed changes
Copy link
Contributor

@ericchiang ericchiang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

We're going to have to fix travis first though :)

@srenatus
connectors/ldap: treat 'constraint violation' on bind as bad credentials
6a2d4ab 
Some directory servers (I think it's Oracle) return

    Constraint Violation: Exceed password retry limit. Account locked.

when attempting to login too many times. While constraint violation can
mean many things, we're checking this as an error on BIND, so it's
more likely that something like this has happened than any other thing.

Hence, we should treat it as an "incorrect password" situation, not an
internal error.

It would of course be preferrable to surface more information about this
precise error (and similar ones), but I think this is beyond this small
change.

Signed-off-by: Stephan Renatus <srenatus@chef.io>
@srenatus srenatus force-pushed the sr/ldap/treat-bind-constraint-violation-as-bad-login branch from 2d701b1 to 6a2d4ab Compare September 5, 2018 08:03
@srenatus
Copy link
Contributor Author

srenatus commented Sep 5, 2018

I feel like I'm skipping the queue, but since the change is quite minimal, I'll merge this. (A quick look around didn't reveal any low-hanging fruit in terms of improving test coverage for this, so, let's leave it at that.)

@srenatus srenatus merged commit 974617a into dexidp:master Sep 5, 2018
@srenatus srenatus deleted the sr/ldap/treat-bind-constraint-violation-as-bad-login branch September 5, 2018 08:18
mmrath pushed a commit to mmrath/dex that referenced this pull request Sep 2, 2019
@srenatus
Merge pull request dexidp#1285 from srenatus/sr/ldap/treat-bind-const…
41c2eba 
…raint-violation-as-bad-login

connectors/ldap: treat 'constraint violation' on bind as bad credentials
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ericchiang ericchiang ericchiang approved these changes

Assignees

@srenatus srenatus

Labels
area/connector
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@srenatus @ericchiang