Re: Force password change on next login with Active Directory

Thu, 06 May 2021 05:08:52 -0700 

@Emmanuel, sure I have a dialogue with them as well but since I know
they use Apache Directory LDAP API and (most) the debug logs are from
`org.apache.directory` trying to understand the behavior of LDAP API
interacting with Active Directory.
I would expect many other users of LDAP API facing the same issue with
AD flag pwdLastSet=0 and if anyone have a solution for it.

Checked the LDAP API source and it says:

    /**
     * This error code is returned if the Dn or password used in a simple bind
     * operation is incorrect, or if the Dn or password is incorrect for some
     * other reason, e.g. the password has expired. This result code only
     * applies to Bind operations -- it should not be returned for other
     * operations if the client does not have sufficient permission to perform
     * the requested operation - in this case the return code should be
     * insufficientAccessRights. Applicable operations: Bind. Result code type:
     * Specific (Security)
     */
    INVALID_CREDENTIALS(49, "invalidCredentials"),

Since the user with `pwdLastSet=0` and have a
"single-password-to-use-to-change-password", I get the feeling of
INVALID_CREDENTIALS not being the correct error code.
Tested to run an application on Windows, it didn't work but at least
the error code is much more clear

C:\>runas /u:OUR_DOMAIN\dft9000 notepad.exe
Enter the password for OUR_DOMAIN\dft9000:
Attempting to start notepad.exe as user "OUR_DOMAIN\dft9000" ...
RUNAS ERROR: Unable to run - notepad.exe
1907: The user's password must be changed before signing in.

Regards Joacim

On Thu, May 6, 2021 at 1:29 PM Emmanuel Lécharny <elecha...@gmail.com> wrote:
>
> Hi,
>
> I will focus on the important part of your message :
>
> "We are using a commercial IdP product (Curity)"
>
> The best you can do is to ask them about the error you(ve got.
>
>
>
>
> On 06/05/2021 09:43, 4 Integration wrote:
> > Hi,
> >
> > We are using a commercial IdP product (Curity) which in turn uses
> > Apache Directory API and we integrate with our Active Directory (AD).
> > When adding new accounts/users in AD we set the flag `pwdLastSet=0`
> > (or as in AD "User must change password at next logon") and a default
> > password.
> >
> > When I try login I get `INVALID_CREDENTIALS` and no indication to
> > change password.
> >
> > Shouldn't the error be something else to be able to act on it?
> > Any other way to handle "Force password change on next logon"?
> >
> > Log snippet (more completed logs attached)
> > ```
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
> > from state <BIND_RESPONSE_STATE> to state <RESULT_CODE_BR_STATE>, tag
> > <0x0A>, action : Store resultCode
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.ldap.codec.actions.ldapResult.StoreResultCode
> > - MSG_05109_RESULT_CODE_IS (INVALID_CREDENTIALS)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (TAG_STATE_START)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x04)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED
> > (0x04)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (LENGTH_STATE_START)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x00)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (LENGTH_STATE_END)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x04)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder -
> > MSG_01003_PARENT_LENGTH (TLV expected length stack :  - 92 - 0 - null)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder -
> > MSG_01006_LENGTH_DECODED (0)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (TLV_STATE_DONE)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x04)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE
> > (TLV0x04(0)-TLV0x61(90)-TLV0x30(0))
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
> > from state <RESULT_CODE_BR_STATE> to state <MATCHED_DN_BR_STATE>, tag
> > <0x04>, action : Store matched Dn
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.ldap.codec.actions.ldapResult.StoreMatchedDN
> > - MSG_05108_MATCHED_DN_IS ()
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (TAG_STATE_START)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x04)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED
> > (0x04)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (LENGTH_STATE_START)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x58)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (LENGTH_STATE_END)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x38)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder -
> > MSG_01003_PARENT_LENGTH (TLV expected length stack :  - 90 - 0 - null)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder -
> > MSG_01006_LENGTH_DECODED (88)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (VALUE_STATE_START)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> > (0x38)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> > (TLV_STATE_DONE)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01014_NO_MORE_BYTE
> > ()
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE
> > (TLV0x04(88)-TLV0x61(0)-TLV0x30(0))
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
> > from state <MATCHED_DN_BR_STATE> to state <ERROR_MESSAGE_BR_STATE>,
> > tag <0x04>, action : Store error message
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.ldap.codec.actions.ldapResult.StoreErrorMessage
> > - MSG_05106_ERROR_MESSAGE_IS (80090308: LdapErr: DSID-0C090453,
> > comment: AcceptSecurityContext error, data 773, v3839)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder -
> > MSG_01009_LINE_SEPARATOR3 ()
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder -
> > MSG_01015_STOP_DECODING (TLV[ 0x04, 88, DATA[0x38 0x30 0x30 0x39 0x30
> > 0x33 0x30 0x38 0x3A 0x20 0x4C 0x64 0x61 0x70 0x45 0x72 0x72 0x3A 0x20
> > 0x44 0x53 0x49 0x44 0x2D 0x30 0x43 0x30 0x39 0x30 0x34 0x35 0x33 0x2C
> > 0x20 0x63 0x6F 0x6D 0x6D 0x65 0x6E 0x74 0x3A 0x20 0x41 0x63 0x63 0x65
> > 0x70 0x74 0x53 0x65 0x63 0x75 0x72 0x69 0x74 0x79 0x43 0x6F 0x6E 0x74
> > 0x65 0x78 0x74 0x20 0x65 0x72 0x72 0x6F 0x72 0x2C 0x20 0x64 0x61 0x74
> > 0x61 0x20 0x37 0x37 0x33 0x2C 0x20 0x76 0x33 0x38 0x33 0x39 0x00 ]])
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.asn1.ber.Asn1Decoder -
> > MSG_01010_LINE_SEPARATOR4 ()
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.api.CODEC_LOG - MSG_14002_DECODED_LDAP_MESSAGE
> > (MessageType : BIND_RESPONSE
> > Message ID : 21
> >      BindResponse
> >          Ldap Result
> >              Result code : (INVALID_CREDENTIALS) invalidCredentials
> >              Matched Dn : ''
> >              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> > comment: AcceptSecurityContext error, data 773, v3839'
> > )
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.ldap.client.api.LdapNetworkConnection -
> > MSG_04142_MESSAGE_RECEIVED (MessageType : BIND_RESPONSE
> > Message ID : 21
> >      BindResponse
> >          Ldap Result
> >              Result code : (INVALID_CREDENTIALS) invalidCredentials
> >              Matched Dn : ''
> >              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> > comment: AcceptSecurityContext error, data 773, v3839'
> > )
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.ldap.client.api.LdapNetworkConnection -
> > MSG_04119_GETTING
> > (21,org.apache.directory.ldap.client.api.future.BindFuture)
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.ldap.client.api.LdapNetworkConnection -
> > MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
> > Message ID : 21
> >      BindResponse
> >          Ldap Result
> >              Result code : (INVALID_CREDENTIALS) invalidCredentials
> >              Matched Dn : ''
> >              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> > comment: AcceptSecurityContext error, data 773, v3839'
> > )
> > 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> > org.apache.directory.ldap.client.api.LdapNetworkConnection -
> > MSG_04126_REMOVING
> > (21,org.apache.directory.ldap.client.api.future.BindFuture)
> > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> > org.apache.directory.ldap.client.api.LdapNetworkConnection -
> > MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
> > Message ID : 21
> >      BindResponse
> >          Ldap Result
> >              Result code : (INVALID_CREDENTIALS) invalidCredentials
> >              Matched Dn : ''
> >              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> > comment: AcceptSecurityContext error, data 773, v3839'
> > )
> > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> > org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory
> > - MSG_04151_PASSIVATING
> > (org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273)
> > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> > org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory
> > - MSG_04172_REBIND_BIND_CONNECTION
> > (org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273)
> > 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> > org.apache.directory.ldap.client.api.LdapNetworkConnection -
> > MSG_04104_SENDING_REQUEST (MessageType : BIND_REQUEST
> > Message ID : 22
> >      BindRequest
> >          Version : '3'
> >          Name : 
> > 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net'
> >          Simple authentication : '(omitted-for-safety)'
> > )
> > 2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> > org.apache.directory.ldap.client.api.LdapNetworkConnection -
> > MSG_04106_ADDING
> > (22,org.apache.directory.ldap.client.api.future.BindFuture)
> > 2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> > org.apache.directory.api.CODEC_LOG - MSG_14003_ENCODED_LDAP_MESSAGE
> > (MessageType : BIND_REQUEST
> > Message ID : 22
> >      BindRequest
> >          Version : '3'
> >          Name : 
> > 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net'
> >          Simple authentication : '(omitted-for-safety)'
> >
> > ```
> > / Joacim
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: api-unsubscr...@directory.apache.org
> > For additional commands, e-mail: api-h...@directory.apache.org
> >
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecha...@busit.com https://www.busit.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: api-unsubscr...@directory.apache.org
> For additional commands, e-mail: api-h...@directory.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: api-unsubscr...@directory.apache.org
For additional commands, e-mail: api-h...@directory.apache.org

Reply via email to