public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dave Page <[email protected]>
To: Akshay Joshi <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: Regarding #8580
Date: Fri, 9 May 2025 10:53:05 +0100
Message-ID: <CA+OCxox5DM_OaCa7MJYFYzc4BVmh9SCg_=s9jWLTmLUvWFzG+g@mail.gmail.com> (raw)
In-Reply-To: <CANxoLDcQQbHcWJi3V7ENyysQ8JoCSoVD47Z+UJMTpF3b=PAp6g@mail.gmail.com>
References: <CANxoLDcQQbHcWJi3V7ENyysQ8JoCSoVD47Z+UJMTpF3b=PAp6g@mail.gmail.com>
Hi
On Fri, 9 May 2025 at 08:45, Akshay Joshi <[email protected]>
wrote:
> Hi Hackers/Dave,
>
> I have started working on issue #8580
> <https://github.com/pgadmin-org/pgadmin4/issues/8580;, where the correct
> error message should be displayed based on the user's authentication source
> when an incorrect password is provided.
>
> *Actual Issue*: The admin has configured AUTHENTICATION_SOURCES =
> ['internal', 'ldap']. A user with the email [email protected] exists only as an
> internal user in the database, and there is no corresponding LDAP entry for
> this user. When this user attempts to log in with an incorrect password,
> the system first tries internal authentication, which fails. It then
> proceeds to check the next authentication source (LDAP), as per the
> configured logic. Since no matching LDAP user exists, an LDAP-related error
> is returned, even though the user is intended to be authenticated only
> internally. His/her account will never get locked.
>
> This behavior appears to be incorrect to me. I’m proposing two possible
> solutions to address it:
> *Solution 1 (Logic Changes): *
> *Scenario 1: ['internal', 'ldap']:*
>
> - If a user exists in the database with the specified authentication
> source (internal), attempt to authenticate using internal. If
> authentication fails, return an error. No need to check for the LDAP or
> next auth source.
>
> Yes.
>
> - If no user-auth source combination is found for internal, proceed to
> the next authentication source (LDAP). Attempt LDAP login, and if
> successful (and auto-create is enabled), create the user in the database.
>
> Yes.
> *Scenario 2: ['ldap', 'internal']*
>
> - If the LDAP user does not exist in the database, but the same user
> exists as an internal user, first try LDAP authentication. If it fails,
> fall back to internal or the next configured auth source in the list.
>
> Yes.
>
> - If the LDAP user does exist in the database, attempt to authenticate
> via LDAP. If LDAP authentication fails, return the error without checking
> for the next authentication source.
>
> Yes.
> *Note:* - In the above approach, it is the administrator's responsibility
> to configure the order of authentication sources appropriately.
>
Agreed.
>
> *Solution 2 (GUI Changes): *Add a single login button with a drop-down
> menu to select the authentication source (e.g., "Internal", "LDAP") on the
> login page, as we already display N buttons for N OAuth2 configurations,
> which can be removed for a cleaner user experience.
> OR
> Alternatively, add a separate button labeled "Login with LDAP" to
> explicitly trigger LDAP authentication.
>
I don't like this solution, as it requires the end user to understand how
their admin has setup the backend authentication. That seems like something
they shouldn't need to concern themselves with.
--
Dave Page
pgAdmin: https://www.pgadmin.org
PostgreSQL: https://www.postgresql.org
pgEdge: https://www.pgedge.com
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected]
Subject: Re: Regarding #8580
In-Reply-To: <CA+OCxox5DM_OaCa7MJYFYzc4BVmh9SCg_=s9jWLTmLUvWFzG+g@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox