From 91f3a2044bb45c29f9a5f771d21ed1c250116aee Mon Sep 17 00:00:00 2001 From: Gage Hugo Date: Tue, 20 Jun 2017 16:13:33 -0500 Subject: [PATCH] Clarify LDAP invalid credentials exception This change catches the invalid credentials exception when binding with LDAP and responds with a more clear error message of "Invalid username or password" instead of just supplying the default 500 error message. Change-Id: I523dd816333ad76cde8f18ae0fa43040a4478524 Closes-Bug: #1684994 --- keystone/exception.py | 5 +++++ keystone/identity/backends/ldap/common.py | 2 ++ keystone/tests/unit/test_backend_ldap.py | 7 +++++++ releasenotes/notes/bug-1684994-264fb8f182ced180.yaml | 8 ++++++++ 4 files changed, 22 insertions(+) create mode 100644 releasenotes/notes/bug-1684994-264fb8f182ced180.yaml diff --git a/keystone/exception.py b/keystone/exception.py index 4f32e452c5..d5269bf1fd 100644 --- a/keystone/exception.py +++ b/keystone/exception.py @@ -603,3 +603,8 @@ class CredentialEncryptionError(Exception): class LDAPServerConnectionError(UnexpectedError): debug_message_format = _('Unable to establish a connection to ' 'LDAP Server (%(url)s).') + + +class LDAPInvalidCredentialsError(UnexpectedError): + message_format = _('Unable to authenticate against Identity backend - ' + 'Invalid username or password') diff --git a/keystone/identity/backends/ldap/common.py b/keystone/identity/backends/ldap/common.py index 52c39d3cf3..ae72fa31b3 100644 --- a/keystone/identity/backends/ldap/common.py +++ b/keystone/identity/backends/ldap/common.py @@ -1248,6 +1248,8 @@ class BaseLdap(object): conn.simple_bind_s() return conn + except ldap.INVALID_CREDENTIALS: + raise exception.LDAPInvalidCredentialsError() except ldap.SERVER_DOWN: raise exception.LDAPServerConnectionError( url=self.LDAP_URL) diff --git a/keystone/tests/unit/test_backend_ldap.py b/keystone/tests/unit/test_backend_ldap.py index 3f2652fdf3..56eb1ee9bf 100644 --- a/keystone/tests/unit/test_backend_ldap.py +++ b/keystone/tests/unit/test_backend_ldap.py @@ -1054,6 +1054,13 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase): name=u'Default') self.assertEqual([default_domain], domains) + def test_authenticate_wrong_credentials(self): + self.assertRaises(exception.LDAPInvalidCredentialsError, + self.identity_api.driver.user.get_connection, + user='demo', + password='demo', + end_user_auth=True) + def test_configurable_allowed_project_actions(self): domain = self._get_domain_fixture() project = unit.new_project_ref(domain_id=domain['id']) diff --git a/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml b/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml new file mode 100644 index 0000000000..b9950e9b72 --- /dev/null +++ b/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml @@ -0,0 +1,8 @@ +--- +fixes: + - | + [`bug 1684994 `_] + This catches the ldap.INVALID_CREDENTIALS exception thrown when + trying to connect to an LDAP backend with an invalid username + or password, and emits a message back to the user instead of + the default 500 error message.