Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uDL3Q-009Q4x-MC for pgadmin-hackers@arkaria.postgresql.org; Fri, 09 May 2025 10:34:09 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1uDL3P-00ABlx-OB for pgadmin-hackers@arkaria.postgresql.org; Fri, 09 May 2025 10:34:07 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1uDL3P-00ABla-CE for pgadmin-hackers@lists.postgresql.org; Fri, 09 May 2025 10:34:07 +0000 Received: from mail-yw1-x1135.google.com ([2607:f8b0:4864:20::1135]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1uDL3L-000wA7-0B for pgadmin-hackers@postgresql.org; Fri, 09 May 2025 10:34:05 +0000 Received: by mail-yw1-x1135.google.com with SMTP id 00721157ae682-70900a80907so17431517b3.0 for ; Fri, 09 May 2025 03:34:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb.com; s=google; t=1746786843; x=1747391643; darn=postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=xO1wgjo1G9baSXTtznLPW8skM9La6bCpwfHUutYfutM=; b=Cv/u8pdToNeionkC9KSCyGsKZc8RJpvTVRpIJUl+eYNhhto5QrG3umvrx6cMWdQrIP tP4sOfvnObx88co/xTHqFzwiHU0DkNS5FAVrpxsIV3r954A82tKjTONX9uqPwb8jzAue agQNFS4vpjqNeRmiZ5iwP0k4QmppAKP8PTLM2CL8kr5I0ZlYfF/NlQsCPUU/aFO/t4OR eIggcF5acSiAp6MSJ/Bd88GVbQmI8iwKfbj0DC/pl2cTeGcULu5Ff4qnYF44aPsXsbzK O80mc+j5ZTYTHGf3FM9Bc3uQhcWdomqrQ/IlLRHFtKDEL+TNOb1zBCKRMmECqsq5j2MZ L1hw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1746786843; x=1747391643; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=xO1wgjo1G9baSXTtznLPW8skM9La6bCpwfHUutYfutM=; b=lWG0yf3oJPovbb7nVRDHuNCIcGTvpB0zFEgQgWMuIarbZO5Tl3ZRx3BAuNpNMW+1K8 bK1Ik3D3mXYPyL489Zuqe2Ko75gBSuK3U4HRLDnHYZcrq/YulUjUfaV/uKzVipBbSj/C maxM5z+E0aa1fD/wi4TGYVIh9h0Rd3uH0k1MB+5XaeWKwHfClaO5vEE06/QVBTppbIpp VLfhznZS3qr29AgaQ5fwiQv69YNWcNnWO7wWJoxPudhujhUikwdP+fqDvnP1/2R4WcQN AstIwGX/8j0hHFkRg37zwDi5rr77/A7hJRH243SjfMEaf2rFowBT+bCOY7WPMld0MAJE uxng== X-Forwarded-Encrypted: i=1; AJvYcCW/oVtzTKl7//UTHwSwKKRttARtDrY7Pw03gKeeg/71Ze5fxC1LyjC7Xya5iLduAqtXRuIN3VIwAlZ2CSuiXNc=@postgresql.org X-Gm-Message-State: AOJu0Yx3M/mtvpjzhtefh3in6tYnvCXBCQS8rYzZ2YDPGysAp1iaDyqi gB8tbraMFCtDR4eZFOuqk9MRGxlzF40nyK3GRAFCb67So/ZCgSoIdvgyfK5L3WNxoN4ugoXLmGq s47G8DbJsdCIXCj6QqE6EQZHeZZgJDdegTgSw X-Gm-Gg: ASbGncuTxY6SARO94A4rwqe2HrKQP67Q6DEjXrDZDymgq1FaIpuIfmJwDVc52QXRYuJ nyIZWodDWSeVZH7FnyTSdRjRrFz+Ie/s9Ltz8/1BQoxOWo2l8QT5ss/cRSAtbmlSOB3V5daAJsW cNzExgGyEv5VRtgiMlf3jhcXQ= X-Google-Smtp-Source: AGHT+IFBtjY/Z7xbA6FzSgFp8CMY1b0TK4nXRUvgBfnTxXTKl9yX0kv768ejimDdf/D6Y111Pgy3vJrw2MGxTRJ7+28= X-Received: by 2002:a05:690c:6f0c:b0:6fd:453b:8975 with SMTP id 00721157ae682-70a3fae6414mr38846327b3.23.1746786842770; Fri, 09 May 2025 03:34:02 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Khushboo Vashi Date: Fri, 9 May 2025 16:03:50 +0530 X-Gm-Features: ATxdqUHnfCv-RoS_E8lvewxEwqgry79OYxykIeOu0HPb5QPwIvcO9BEcsLb-3P8 Message-ID: Subject: Re: Regarding #8580 To: Dave Page Cc: Akshay Joshi , pgadmin-hackers Content-Type: multipart/alternative; boundary="0000000000004319360634b1814d" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000004319360634b1814d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, May 9, 2025 at 3:23=E2=80=AFPM Dave Page wrote: > Hi > > On Fri, 9 May 2025 at 08:45, Akshay Joshi > wrote: > >> Hi Hackers/Dave, >> >> I have started working on issue #8580 >> , where the correct >> error message should be displayed based on the user's authentication sou= rce >> when an incorrect password is provided. >> >> *Actual Issue*: The admin has configured AUTHENTICATION_SOURCES =3D >> ['internal', 'ldap']. A user with the email a@xyz.com exists only as an >> internal user in the database, and there is no corresponding LDAP entry = for >> this user. When this user attempts to log in with an incorrect password, >> the system first tries internal authentication, which fails. It then >> proceeds to check the next authentication source (LDAP), as per the >> configured logic. Since no matching LDAP user exists, an LDAP-related er= ror >> is returned, even though the user is intended to be authenticated only >> internally. His/her account will never get locked. >> >> This behavior appears to be incorrect to me. I=E2=80=99m proposing two p= ossible >> solutions to address it: >> *Solution 1 (Logic Changes): * >> *Scenario 1: ['internal', 'ldap']:* >> >> - If a user exists in the database with the specified authentication >> source (internal), attempt to authenticate using internal. If >> authentication fails, return an error. No need to check for the LDAP = or >> next auth source. >> >> Yes. > >> >> - If no user-auth source combination is found for internal, proceed >> to the next authentication source (LDAP). Attempt LDAP login, and if >> successful (and auto-create is enabled), create the user in the datab= ase. >> >> Yes. > > >> *Scenario 2: ['ldap', 'internal']* >> >> - If the LDAP user does not exist in the database, but the same user >> exists as an internal user, first try LDAP authentication. If it fail= s, >> fall back to internal or the next configured auth source in the list. >> >> Yes. > >> >> - If the LDAP user does exist in the database, attempt to >> authenticate via LDAP. If LDAP authentication fails, return the error >> without checking for the next authentication source. >> >> Yes. > If the user is registered for multiple authentications (per entries in our database), the next in line should be checked if one fails. > >> *Note:* - In the above approach, it is the administrator's >> responsibility to configure the order of authentication sources >> appropriately. >> > > Agreed. > > >> >> *Solution 2 (GUI Changes): *Add a single login button with a drop-down >> menu to select the authentication source (e.g., "Internal", "LDAP") on t= he >> login page, as we already display N buttons for N OAuth2 configurations, >> which can be removed for a cleaner user experience. >> OR >> Alternatively, add a separate button labeled "Login with LDAP" to >> explicitly trigger LDAP authentication. >> > > I don't like this solution, as it requires the end user to understand how > their admin has setup the backend authentication. That seems like somethi= ng > they shouldn't need to concern themselves with. > > -- > Dave Page > pgAdmin: https://www.pgadmin.org > PostgreSQL: https://www.postgresql.org > pgEdge: https://www.pgedge.com > > --0000000000004319360634b1814d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Fri, May 9, = 2025 at 3:23=E2=80=AFPM Dave Page <= dpage@pgadmin.org> wrote:
Hi

On Fri, 9 May 2025 at 08:45, Aksha= y Joshi <akshay.joshi@enterprisedb.com> wrote:
Hi Hackers/Dave,

I have started working on issue #8580,=C2= =A0where the correct error message should be displayed based on the user= 9;s authentication source when an incorrect password is provided.

Actual Issue:=C2=A0The admin has configured AUTHENTI= CATION_SOURCES =3D ['internal', 'ldap']. A user with the em= ail a@xyz.com exists onl= y as an internal user in the database, and there is no corresponding LDAP e= ntry for this user. When this user attempts to log in with an incorrect pas= sword, the system first tries internal authentication, which fails. It then= proceeds to check the next authentication source (LDAP), as per the config= ured logic. Since no matching LDAP user exists, an LDAP-related error is re= turned, even though the user is intended to be authenticated only internall= y. His/her account will never get locked.

This beh= avior appears to be incorrect to me. I=E2=80=99m proposing two possible sol= utions to address it:
Solution 1 (Logic Changes):=C2=A0
Scenario 1: ['internal', 'ldap']:
=
  • If a user exists in the database with the specified authentication = source (internal), attempt to authenticate using internal. If authenticatio= n fails, return an error. No need to check for the LDAP or next auth source= .
Yes.=C2=A0
  • If no use= r-auth source combination is found for internal, proceed to the next authen= tication source (LDAP). Attempt LDAP login, and if successful (and auto-cre= ate is enabled), create the user in the database.
Yes.
=C2=A0
Scenario 2: ['ldap', '= internal']=C2=A0
  • If the LDAP user does not exist = in=C2=A0the database, but the same=C2=A0user exists=C2=A0as an internal use= r, first try LDAP authentication. If it fails, fall back to internal or the= next configured auth source in the list.=C2=A0
Yes.=C2=A0
  • If the LDAP user does exist in the databas= e, attempt to authenticate via LDAP. If LDAP authentication fails, return t= he error without checking for the next authentication source.
Yes.


If the user is registered for multiple authentications= (per entries in our database), the next in line should be checked if one f= ails.

=C2=A0
Note: -= =C2=A0In the above approach, it is the administrator's responsibility t= o configure the order of authentication sources appropriately.
<= /blockquote>

Agreed.
=C2=A0

<= b>Solution 2 (GUI Changes):=C2=A0Add a single login button with a drop-= down menu to select the authentication source (e.g., "Internal", = "LDAP") on the login page, as we already display N buttons for N = OAuth2 configurations, which can be removed for a cleaner user experience.<= /div>
OR=C2=A0
Alternatively, add a separate button labeled &= quot;Login with LDAP" to explicitly trigger LDAP authentication.
=

I don't like this solution, as i= t requires the end user to understand how their admin has setup=C2=A0the ba= ckend authentication. That seems like something they shouldn't need to = concern themselves with.
=C2=A0
--
<= div dir=3D"ltr">Dave Page
--0000000000004319360634b1814d--