@Emmanuel, sure I have a dialogue with them as well but since I know they use Apache Directory LDAP API and (most) the debug logs are from `org.apache.directory` trying to understand the behavior of LDAP API interacting with Active Directory. I would expect many other users of LDAP API facing the same issue with AD flag pwdLastSet=0 and if anyone have a solution for it.
Checked the LDAP API source and it says: /** * This error code is returned if the Dn or password used in a simple bind * operation is incorrect, or if the Dn or password is incorrect for some * other reason, e.g. the password has expired. This result code only * applies to Bind operations -- it should not be returned for other * operations if the client does not have sufficient permission to perform * the requested operation - in this case the return code should be * insufficientAccessRights. Applicable operations: Bind. Result code type: * Specific (Security) */ INVALID_CREDENTIALS(49, "invalidCredentials"), Since the user with `pwdLastSet=0` and have a "single-password-to-use-to-change-password", I get the feeling of INVALID_CREDENTIALS not being the correct error code. Tested to run an application on Windows, it didn't work but at least the error code is much more clear C:\>runas /u:OUR_DOMAIN\dft9000 notepad.exe Enter the password for OUR_DOMAIN\dft9000: Attempting to start notepad.exe as user "OUR_DOMAIN\dft9000" ... RUNAS ERROR: Unable to run - notepad.exe 1907: The user's password must be changed before signing in. Regards Joacim On Thu, May 6, 2021 at 1:29 PM Emmanuel Lécharny <elecha...@gmail.com> wrote: > > Hi, > > I will focus on the important part of your message : > > "We are using a commercial IdP product (Curity)" > > The best you can do is to ask them about the error you(ve got. > > > > > On 06/05/2021 09:43, 4 Integration wrote: > > Hi, > > > > We are using a commercial IdP product (Curity) which in turn uses > > Apache Directory API and we integrate with our Active Directory (AD). > > When adding new accounts/users in AD we set the flag `pwdLastSet=0` > > (or as in AD "User must change password at next logon") and a default > > password. > > > > When I try login I get `INVALID_CREDENTIALS` and no indication to > > change password. > > > > Shouldn't the error be something else to be able to act on it? > > Any other way to handle "Force password change on next logon"? > > > > Log snippet (more completed logs attached) > > ``` > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition > > from state <BIND_RESPONSE_STATE> to state <RESULT_CODE_BR_STATE>, tag > > <0x0A>, action : Store resultCode > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.ldap.codec.actions.ldapResult.StoreResultCode > > - MSG_05109_RESULT_CODE_IS (INVALID_CREDENTIALS) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (TAG_STATE_START) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (LENGTH_STATE_START) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x00) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (LENGTH_STATE_END) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01003_PARENT_LENGTH (TLV expected length stack : - 92 - 0 - null) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01006_LENGTH_DECODED (0) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (TLV_STATE_DONE) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE > > (TLV0x04(0)-TLV0x61(90)-TLV0x30(0)) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition > > from state <RESULT_CODE_BR_STATE> to state <MATCHED_DN_BR_STATE>, tag > > <0x04>, action : Store matched Dn > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.ldap.codec.actions.ldapResult.StoreMatchedDN > > - MSG_05108_MATCHED_DN_IS () > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (TAG_STATE_START) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (LENGTH_STATE_START) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x58) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (LENGTH_STATE_END) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x38) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01003_PARENT_LENGTH (TLV expected length stack : - 90 - 0 - null) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01006_LENGTH_DECODED (88) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (VALUE_STATE_START) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x38) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (TLV_STATE_DONE) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01014_NO_MORE_BYTE > > () > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE > > (TLV0x04(88)-TLV0x61(0)-TLV0x30(0)) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition > > from state <MATCHED_DN_BR_STATE> to state <ERROR_MESSAGE_BR_STATE>, > > tag <0x04>, action : Store error message > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.ldap.codec.actions.ldapResult.StoreErrorMessage > > - MSG_05106_ERROR_MESSAGE_IS (80090308: LdapErr: DSID-0C090453, > > comment: AcceptSecurityContext error, data 773, v3839) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01009_LINE_SEPARATOR3 () > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01015_STOP_DECODING (TLV[ 0x04, 88, DATA[0x38 0x30 0x30 0x39 0x30 > > 0x33 0x30 0x38 0x3A 0x20 0x4C 0x64 0x61 0x70 0x45 0x72 0x72 0x3A 0x20 > > 0x44 0x53 0x49 0x44 0x2D 0x30 0x43 0x30 0x39 0x30 0x34 0x35 0x33 0x2C > > 0x20 0x63 0x6F 0x6D 0x6D 0x65 0x6E 0x74 0x3A 0x20 0x41 0x63 0x63 0x65 > > 0x70 0x74 0x53 0x65 0x63 0x75 0x72 0x69 0x74 0x79 0x43 0x6F 0x6E 0x74 > > 0x65 0x78 0x74 0x20 0x65 0x72 0x72 0x6F 0x72 0x2C 0x20 0x64 0x61 0x74 > > 0x61 0x20 0x37 0x37 0x33 0x2C 0x20 0x76 0x33 0x38 0x33 0x39 0x00 ]]) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01010_LINE_SEPARATOR4 () > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.CODEC_LOG - MSG_14002_DECODED_LDAP_MESSAGE > > (MessageType : BIND_RESPONSE > > Message ID : 21 > > BindResponse > > Ldap Result > > Result code : (INVALID_CREDENTIALS) invalidCredentials > > Matched Dn : '' > > Diagnostic message : '80090308: LdapErr: DSID-0C090453, > > comment: AcceptSecurityContext error, data 773, v3839' > > ) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.ldap.client.api.LdapNetworkConnection - > > MSG_04142_MESSAGE_RECEIVED (MessageType : BIND_RESPONSE > > Message ID : 21 > > BindResponse > > Ldap Result > > Result code : (INVALID_CREDENTIALS) invalidCredentials > > Matched Dn : '' > > Diagnostic message : '80090308: LdapErr: DSID-0C090453, > > comment: AcceptSecurityContext error, data 773, v3839' > > ) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.ldap.client.api.LdapNetworkConnection - > > MSG_04119_GETTING > > (21,org.apache.directory.ldap.client.api.future.BindFuture) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.ldap.client.api.LdapNetworkConnection - > > MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE > > Message ID : 21 > > BindResponse > > Ldap Result > > Result code : (INVALID_CREDENTIALS) invalidCredentials > > Matched Dn : '' > > Diagnostic message : '80090308: LdapErr: DSID-0C090453, > > comment: AcceptSecurityContext error, data 773, v3839' > > ) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.ldap.client.api.LdapNetworkConnection - > > MSG_04126_REMOVING > > (21,org.apache.directory.ldap.client.api.future.BindFuture) > > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165} > > org.apache.directory.ldap.client.api.LdapNetworkConnection - > > MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE > > Message ID : 21 > > BindResponse > > Ldap Result > > Result code : (INVALID_CREDENTIALS) invalidCredentials > > Matched Dn : '' > > Diagnostic message : '80090308: LdapErr: DSID-0C090453, > > comment: AcceptSecurityContext error, data 773, v3839' > > ) > > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165} > > org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory > > - MSG_04151_PASSIVATING > > (org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273) > > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165} > > org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory > > - MSG_04172_REBIND_BIND_CONNECTION > > (org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273) > > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165} > > org.apache.directory.ldap.client.api.LdapNetworkConnection - > > MSG_04104_SENDING_REQUEST (MessageType : BIND_REQUEST > > Message ID : 22 > > BindRequest > > Version : '3' > > Name : > > 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net' > > Simple authentication : '(omitted-for-safety)' > > ) > > 2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165} > > org.apache.directory.ldap.client.api.LdapNetworkConnection - > > MSG_04106_ADDING > > (22,org.apache.directory.ldap.client.api.future.BindFuture) > > 2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165} > > org.apache.directory.api.CODEC_LOG - MSG_14003_ENCODED_LDAP_MESSAGE > > (MessageType : BIND_REQUEST > > Message ID : 22 > > BindRequest > > Version : '3' > > Name : > > 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net' > > Simple authentication : '(omitted-for-safety)' > > > > ``` > > / Joacim > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: api-unsubscr...@directory.apache.org > > For additional commands, e-mail: api-h...@directory.apache.org > > > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > emmanuel.lecha...@busit.com https://www.busit.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: api-unsubscr...@directory.apache.org > For additional commands, e-mail: api-h...@directory.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: api-unsubscr...@directory.apache.org For additional commands, e-mail: api-h...@directory.apache.org