diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js index e241ad30d..830def054 100644 --- a/install/ui/src/freeipa/ipa.js +++ b/install/ui/src/freeipa/ipa.js @@ -498,7 +498,8 @@ IPA.login_password = function(username, password) { if (reason === 'password-expired' || reason === 'denied' || reason === 'krbprincipal-expired' || - reason === 'invalid-password') { + reason === 'invalid-password' || + reason === 'user-locked') { result = reason; } } diff --git a/install/ui/src/freeipa/widgets/LoginScreen.js b/install/ui/src/freeipa/widgets/LoginScreen.js index a9f70cce7..56b388894 100644 --- a/install/ui/src/freeipa/widgets/LoginScreen.js +++ b/install/ui/src/freeipa/widgets/LoginScreen.js @@ -71,6 +71,8 @@ define(['dojo/_base/declare', invalid_password: "The password you entered is incorrect. ", + user_locked: "The user account you entered is locked. ", + //nodes: login_btn_node: null, reset_btn_node: null, @@ -240,6 +242,9 @@ define(['dojo/_base/declare', } else if (result === 'invalid-password') { password_f.set_value(''); val_summary.add_error('login', this.invalid_password); + } else if (result === 'user-locked') { + password_f.set_value(''); + val_summary.add_error('login', this.user_locked); } else { password_f.set_value(''); val_summary.add_error('login', this.form_auth_failed); diff --git a/ipalib/errors.py b/ipalib/errors.py index 67ed2818f..52fa25f02 100644 --- a/ipalib/errors.py +++ b/ipalib/errors.py @@ -607,6 +607,12 @@ class KrbPrincipalExpired(SessionError): """ errno = 1203 +class UserLocked(SessionError): + """ + **1204** Raised when a user account is locked. + """ + errno = 1204 + ############################################################################## # 2000 - 2999: Authorization errors class AuthorizationError(PublicError): diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index 96f82d5e2..df6473669 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -43,7 +43,7 @@ from ipalib.capabilities import VERSION_WITHOUT_CAPABILITIES from ipalib.backend import Executioner from ipalib.errors import (PublicError, InternalError, CommandError, JSONError, CCacheError, RefererError, InvalidSessionPassword, NotFound, ACIError, - ExecutionError, PasswordExpired, KrbPrincipalExpired) + ExecutionError, PasswordExpired, KrbPrincipalExpired, UserLocked) from ipalib.request import context, destroy_context from ipalib.rpc import (xml_dumps, xml_loads, json_encode_binary, json_decode_binary) @@ -954,6 +954,11 @@ class login_password(Backend, KerberosSession, HTTP_Status): start_response, str(e), 'krbprincipal-expired') + except UserLocked as e: + return self.unauthorized(environ, + start_response, + str(e), + 'user-locked') return self.finalize_kerberos_acquisition('login_password', ipa_ccache_name, environ, start_response) @@ -993,9 +998,14 @@ class login_password(Backend, KerberosSession, HTTP_Status): ' has expired while getting initial credentials') in str(e): raise KrbPrincipalExpired(principal=principal, message=unicode(e)) + elif ('kinit: Clients credentials have been revoked ' + 'while getting initial credentials') in str(e): + raise UserLocked(principal=principal, + message=unicode(e)) raise InvalidSessionPassword(principal=principal, message=unicode(e)) + class change_password(Backend, HTTP_Status): content_type = 'text/plain'