All LDAP Bind errors are treated as a username/password problem

[MCF]

• Gitea version (or commit ref): 1.3.2
• Git version: 2.15.1
• Operating system: Windows Server 2012
• Database (use [x]):
  • PostgreSQL
  • MySQL
  • MSSQL
  • SQLite
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (provide example URL)
  • No
  • Not relevant
• Log gist:

Description

If LDAP bind fails for reasons other than the wrong username or password the user interface will still return that as the error. For example Active Directory servers are often configured with password retry limits, if they are exceeded the LDAP directory will return an LDAP constraint violation (LDAP Result Code 19) - this error ends up in the server log. No amount of retrying the password will succeed yet the user interface will return the Incorrect username or password error message.

I've had a look at the code around this and improving the error message to the user is not straightforward, and I wouldn't imagine this is a high priority. But I thought it might help others who run into the same problem to at least document it in an issue.

[lafriks]

It has to be very careful to not disclose too much information. It's always balance security vs usability.

[MCF]

Yes, but I would think you could split it into a couple of buckets:

1. bad username/password
2. account may have a problem (password expired, locked due to too many retries).
3. error connecting to ldap/authentication server

The 2nd and 3rd errors could have something in the error message like "please contact your sys admin" to push people in the right direction. I guess they will end up doing that anyway after retrying their username/password a number of times.