From 4010a7e7a0ebde7d7ec59ea2e255b3ce3177f4be Mon Sep 17 00:00:00 2001 From: mjansen Date: Tue, 30 Jun 2026 09:49:47 +0200 Subject: [PATCH] [FIX] Auth: Skip login-attempt counting for accounts without local auth See: https://mantis.ilias.de/view.php?id=47987 --- .../classes/Frontend/class.ilAuthFrontend.php | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/components/ILIAS/Authentication/classes/Frontend/class.ilAuthFrontend.php b/components/ILIAS/Authentication/classes/Frontend/class.ilAuthFrontend.php index 096ab5b14666..99c8ef0e08c5 100755 --- a/components/ILIAS/Authentication/classes/Frontend/class.ilAuthFrontend.php +++ b/components/ILIAS/Authentication/classes/Frontend/class.ilAuthFrontend.php @@ -458,7 +458,19 @@ protected function handleLoginAttempts(): void $usr_id_candidates = []; foreach (array_filter($auth_modes) as $auth_mode) { if ((int) $auth_mode === ilAuthUtils::AUTH_LOCAL) { - $usr_id_candidates[] = ilObjUser::_lookupId($this->getCredentials()->getUsername()); + $local_usr_id = ilObjUser::_lookupId($this->getCredentials()->getUsername()); + // Mantis #47987: A failed local login must only count against an + // account that can actually be authenticated locally. Without this + // check, external accounts (e.g., Shibboleth/SAML) whose login name + // is entered in the local login form get their login attempts + // incremented and are eventually deactivated - even though a local + // login is impossible for them because "Allow Local Authentication" + // is disabled. This mirrors the gate in ilAuthProviderDatabase. + if (is_int($local_usr_id) && $local_usr_id > 0 && ilAuthUtils::isLocalPasswordEnabledForAuthMode( + (int) ilAuthUtils::_getAuthMode(ilObjUser::_lookupAuthMode($local_usr_id)) + )) { + $usr_id_candidates[] = $local_usr_id; + } continue; }