Hi Hackers/Dave, I have started working on issue #8580 <https://github.com/pgadmin-org/pgadmin4/issues/8580>, where the correct error message should be displayed based on the user's authentication source when an incorrect password is provided.
*Actual Issue*: The admin has configured AUTHENTICATION_SOURCES = ['internal', 'ldap']. A user with the email a...@xyz.com exists only as an internal user in the database, and there is no corresponding LDAP entry for this user. When this user attempts to log in with an incorrect password, the system first tries internal authentication, which fails. It then proceeds to check the next authentication source (LDAP), as per the configured logic. Since no matching LDAP user exists, an LDAP-related error is returned, even though the user is intended to be authenticated only internally. His/her account will never get locked. This behavior appears to be incorrect to me. I’m proposing two possible solutions to address it: *Solution 1 (Logic Changes): * *Scenario 1: ['internal', 'ldap']:* - If a user exists in the database with the specified authentication source (internal), attempt to authenticate using internal. If authentication fails, return an error. No need to check for the LDAP or next auth source. - If no user-auth source combination is found for internal, proceed to the next authentication source (LDAP). Attempt LDAP login, and if successful (and auto-create is enabled), create the user in the database. *Scenario 2: ['ldap', 'internal']* - If the LDAP user does not exist in the database, but the same user exists as an internal user, first try LDAP authentication. If it fails, fall back to internal or the next configured auth source in the list. - If the LDAP user does exist in the database, attempt to authenticate via LDAP. If LDAP authentication fails, return the error without checking for the next authentication source. *Note:* - In the above approach, it is the administrator's responsibility to configure the order of authentication sources appropriately. *Solution 2 (GUI Changes): *Add a single login button with a drop-down menu to select the authentication source (e.g., "Internal", "LDAP") on the login page, as we already display N buttons for N OAuth2 configurations, which can be removed for a cleaner user experience. OR Alternatively, add a separate button labeled "Login with LDAP" to explicitly trigger LDAP authentication. Need your inputs/suggestions on this. Akshay Joshi Principal Engineer | Engineering Manager | pgAdmin Hacker enterprisedb.com * Blog*: https://www.enterprisedb.com/akshay-joshi * GitHub*: https://github.com/akshay-joshi * LinkedIn*: https:// <http://goog_373708537> www.linkedin.com/in/akshay-joshi-a9317b14
