import cherrypy
import subprocess
+# Translate PAM errors into more human-digestible values and eventually
+# other languages.
+PAM_AUTH_ERRORS = {
+ "Authentication token is no longer valid; new one required":
+ "Password is expired",
+ "Authentication failure":
+ "Authentication failure",
+}
+
class Form(LoginFormBase):
if not user.is_anonymous:
return self.lm.auth_successful(self.trans, user.name, 'password')
else:
- try:
- error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR']
- except KeyError:
- error = "Unknown error using external authentication"
- cherrypy.log.error("Error: %s" % error)
- return self.lm.auth_failed(self.trans)
+ error = cherrypy.request.wsgi_environ.get(
+ 'EXTERNAL_AUTH_ERROR',
+ 'Unknown error using external authentication'
+ )
+ error = PAM_AUTH_ERRORS.get(error, error)
+ cherrypy.log.error("Error: %s" % error)
+ return self.lm.auth_failed(self.trans, error)
class LoginManager(LoginManagerBase):
trans.wipe()
raise cherrypy.HTTPRedirect(redirect)
- def auth_failed(self, trans):
+ def auth_failed(self, trans, message=None):
# try with next module
next_login = self.next_login()
if next_login:
# destroy session and return error
if 'login_return' not in transdata:
session.logout(None)
- raise cherrypy.HTTPError(401)
+ raise cherrypy.HTTPError(401, message)
raise cherrypy.HTTPRedirect(transdata['login_return'])