Bug 1034781

Summary: LDAP Loging failure should show whether it was a username/password failure or and LDAP connection failure
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Catherine Robson <crobson>
Component: Domain ManagementAssignee: Brian Stansberry <brian.stansberry>
Status: CLOSED NOTABUG QA Contact: Petr Kremensky <pkremens>
Severity: unspecified Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.0.0CC: brian.stansberry, crobson, darran.lofthouse, emuckenh, hbraun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-08 13:15:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Catherine Robson 2013-11-26 13:51:25 UTC 
Description of problem:
When using an LDAP service to log in, if the LDAP service is down there is no way for the user to determine this as we provide no error messaging towards this information.

I think we can add some error messaging to log-in that distinguishes between "username/password is incorrect' and "LDAP server cannot be reached for authentication" without compromising security of the system.


Version-Release number of selected component (if applicable):
6.0.0.Beta


Steps to Reproduce:
1. Have LDAP enabled
2. Bring down LDAP server
3. Attempt to log into EAP w/ username/password from LDAP
4. No information is shown to the user that the system cannot validate their username/password because LDAP is down, so the user will continue to try to log into the system thinking they mistyped their username/password somehow.
Comment 2 Catherine Robson 2014-06-09 12:25:04 UTC 
I believe I may have written in the wrong release number.  I had been testing 6.0.2.Beta I believe when I had submitted this bug.
Comment 3 Harald Pehl 2014-06-27 20:22:30 UTC 
As the login happens outside the console, this is something that should be handled on the server side.

@Darran can you comment on this.
Comment 4 Darran Lofthouse 2014-07-08 13:15:40 UTC 
I will not accept this as a bug as conveying additional information to a remote user about authentication failures whilst feeling like it enhances usability it inadvertently leads to the supply of information that can be used by an attacker for further attack attempts.

What I would however consider if raised as an RFE is enhancing the security realms so that they can verify they are ready to handle authentication requests, this would allow them to verify connectivity to LDAP.  

In the event that connectivity is not possible we could intercept all requests with a generic 'server not available' error message and log a message the server administrator can use to identify the cause.