Hide Forgot
Description of problem: When using an LDAP service to log in, if the LDAP service is down there is no way for the user to determine this as we provide no error messaging towards this information. I think we can add some error messaging to log-in that distinguishes between "username/password is incorrect' and "LDAP server cannot be reached for authentication" without compromising security of the system. Version-Release number of selected component (if applicable): 6.0.0.Beta Steps to Reproduce: 1. Have LDAP enabled 2. Bring down LDAP server 3. Attempt to log into EAP w/ username/password from LDAP 4. No information is shown to the user that the system cannot validate their username/password because LDAP is down, so the user will continue to try to log into the system thinking they mistyped their username/password somehow.
I believe I may have written in the wrong release number. I had been testing 6.0.2.Beta I believe when I had submitted this bug.
As the login happens outside the console, this is something that should be handled on the server side. @Darran can you comment on this.
I will not accept this as a bug as conveying additional information to a remote user about authentication failures whilst feeling like it enhances usability it inadvertently leads to the supply of information that can be used by an attacker for further attack attempts. What I would however consider if raised as an RFE is enhancing the security realms so that they can verify they are ready to handle authentication requests, this would allow them to verify connectivity to LDAP. In the event that connectivity is not possible we could intercept all requests with a generic 'server not available' error message and log a message the server administrator can use to identify the cause.