public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dave Page <[email protected]>
To: Khushboo Vashi <[email protected]>
Cc: Akshay Joshi <[email protected]>
Cc: pgadmin-hackers <[email protected]>
Subject: Re: Regarding #8580
Date: Fri, 9 May 2025 11:49:56 +0100
Message-ID: <CA+OCxozvoCo2f6XqOJxiw9Hwq7EK1MO431udfDF8PsHngicdWw@mail.gmail.com> (raw)
In-Reply-To: <CAFOhELcvwq05pWf9zZD7RPOCmjdPXXevWfdwp7aMk6dXG2am6g@mail.gmail.com>
References: <CANxoLDcQQbHcWJi3V7ENyysQ8JoCSoVD47Z+UJMTpF3b=PAp6g@mail.gmail.com>
<CA+OCxox5DM_OaCa7MJYFYzc4BVmh9SCg_=s9jWLTmLUvWFzG+g@mail.gmail.com>
<CAFOhELcvwq05pWf9zZD7RPOCmjdPXXevWfdwp7aMk6dXG2am6g@mail.gmail.com>
On Fri, 9 May 2025 at 11:34, Khushboo Vashi <[email protected]>
wrote:
>
>
> On Fri, May 9, 2025 at 3:23 PM Dave Page <[email protected]> wrote:
>
>> Hi
>>
>> On Fri, 9 May 2025 at 08:45, Akshay Joshi <[email protected]>
>> wrote:
>>
>>> Hi Hackers/Dave,
>>>
>>> I have started working on issue #8580
>>> <https://github.com/pgadmin-org/pgadmin4/issues/8580;, where the
>>> correct error message should be displayed based on the user's
>>> authentication source when an incorrect password is provided.
>>>
>>> *Actual Issue*: The admin has configured AUTHENTICATION_SOURCES =
>>> ['internal', 'ldap']. A user with the email [email protected] exists only as an
>>> internal user in the database, and there is no corresponding LDAP entry for
>>> this user. When this user attempts to log in with an incorrect password,
>>> the system first tries internal authentication, which fails. It then
>>> proceeds to check the next authentication source (LDAP), as per the
>>> configured logic. Since no matching LDAP user exists, an LDAP-related error
>>> is returned, even though the user is intended to be authenticated only
>>> internally. His/her account will never get locked.
>>>
>>> This behavior appears to be incorrect to me. I’m proposing two possible
>>> solutions to address it:
>>> *Solution 1 (Logic Changes): *
>>> *Scenario 1: ['internal', 'ldap']:*
>>>
>>> - If a user exists in the database with the specified authentication
>>> source (internal), attempt to authenticate using internal. If
>>> authentication fails, return an error. No need to check for the LDAP or
>>> next auth source.
>>>
>>> Yes.
>>
>>>
>>> - If no user-auth source combination is found for internal, proceed
>>> to the next authentication source (LDAP). Attempt LDAP login, and if
>>> successful (and auto-create is enabled), create the user in the database.
>>>
>>> Yes.
>>
>>
>>> *Scenario 2: ['ldap', 'internal']*
>>>
>>> - If the LDAP user does not exist in the database, but the same user
>>> exists as an internal user, first try LDAP authentication. If it fails,
>>> fall back to internal or the next configured auth source in the list.
>>>
>>> Yes.
>>
>>>
>>> - If the LDAP user does exist in the database, attempt to
>>> authenticate via LDAP. If LDAP authentication fails, return the error
>>> without checking for the next authentication source.
>>>
>>> Yes.
>>
>
>
> If the user is registered for multiple authentications (per entries in our
> database), the next in line should be checked if one fails.=
>
I think that's reasonable, but *only* in that case where there's another
source already present in the DB.
--
Dave Page
pgAdmin: https://www.pgadmin.org
PostgreSQL: https://www.postgresql.org
pgEdge: https://www.pgedge.com
view thread (10+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Regarding #8580
In-Reply-To: <CA+OCxozvoCo2f6XqOJxiw9Hwq7EK1MO431udfDF8PsHngicdWw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox