Clarify LDAP invalid credentials exception

This change catches the invalid credentials exception when binding with LDAP and responds with a more clear error message of "Invalid username or password" instead of just supplying the default 500 error message. Change-Id: I523dd816333ad76cde8f18ae0fa43040a4478524 Closes-Bug: #1684994
2017-06-20 16:13:33 -05:00 · 2017-06-20 16:13:33 -05:00 · 91f3a2044b
commit 91f3a2044b
parent 9070172084
4 changed files with 22 additions and 0 deletions
--- a/keystone/exception.py
+++ b/keystone/exception.py
@ -603,3 +603,8 @@ class CredentialEncryptionError(Exception):
 class LDAPServerConnectionError(UnexpectedError):
    debug_message_format = _('Unable to establish a connection to '
                             'LDAP Server (%(url)s).')
+
+
+class LDAPInvalidCredentialsError(UnexpectedError):
+    message_format = _('Unable to authenticate against Identity backend - '
+                       'Invalid username or password')
--- a/keystone/identity/backends/ldap/common.py
+++ b/keystone/identity/backends/ldap/common.py
@ -1248,6 +1248,8 @@ class BaseLdap(object):
                conn.simple_bind_s()

            return conn
+        except ldap.INVALID_CREDENTIALS:
+            raise exception.LDAPInvalidCredentialsError()
        except ldap.SERVER_DOWN:
            raise exception.LDAPServerConnectionError(
                url=self.LDAP_URL)
--- a/keystone/tests/unit/test_backend_ldap.py
+++ b/keystone/tests/unit/test_backend_ldap.py
@ -1054,6 +1054,13 @@ class LDAPIdentity(BaseLDAPIdentity, unit.TestCase):
            name=u'Default')
        self.assertEqual([default_domain], domains)

+    def test_authenticate_wrong_credentials(self):
+        self.assertRaises(exception.LDAPInvalidCredentialsError,
+                          self.identity_api.driver.user.get_connection,
+                          user='demo',
+                          password='demo',
+                          end_user_auth=True)
+
    def test_configurable_allowed_project_actions(self):
        domain = self._get_domain_fixture()
        project = unit.new_project_ref(domain_id=domain['id'])
--- a/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml
+++ b/releasenotes/notes/bug-1684994-264fb8f182ced180.yaml
@ -0,0 +1,8 @@
+---
+fixes:
+  - |
+    [`bug 1684994 <https://bugs.launchpad.net/keystone/+bug/1684994>`_]
+    This catches the ldap.INVALID_CREDENTIALS exception thrown when
+    trying to connect to an LDAP backend with an invalid username
+    or password, and emits a message back to the user instead of
+    the default 500 error message.