Hi again, I have had a discussion with our vendor but they have difficulties to determine the underlying root cause more than error 49 (INVALID_CREDENTIALS). I made a simple Java application to test this and cannot find anything more when debugging the PasswordException. Do you have any guidance what to look for?
My authentication method: ``` public void authenticate(String uid, String password) { String status = ""; try { LdapConnectionConfig config = new LdapConnectionConfig(); config.setUseSsl(true); config.setLdapHost("activedirectory.domain.net"); config.setLdapPort(636); config.setTrustManagers(new NoVerificationTrustManager()); config.setName(_ldapMgmtUser); config.setCredentials(_ldapMgmtPassword); final DefaultPoolableLdapConnectionFactory factory = new DefaultPoolableLdapConnectionFactory(config); final LdapConnectionPool pool = new LdapConnectionPool(factory); pool.setTestOnBorrow(true); final LdapConnectionTemplate ldapConnectionTemplate = new LdapConnectionTemplate(pool); final PasswordWarning warning = ldapConnectionTemplate.authenticate(_rootDn, "(sAMAccountName=" + uid + ")", SearchScope.SUBTREE, password.toCharArray()); status = "User credentials authenticated"; if (warning != null) { status = status + " \n Warning!!" + warning.toString(); } System.out.println(status); } catch (final PasswordException e) { System.err.println("############# PasswordException #############"); status = e.toString(); e.printStackTrace(); } catch (Exception e) { System.err.println("############# Exception #############"); e.printStackTrace(); } finally { } return; } ``` Regards Joacim On Thu, May 6, 2021 at 3:31 PM Emmanuel Lécharny <elecha...@gmail.com> wrote: > > > On 06/05/2021 14:08, 4 Integration wrote: > > @Emmanuel, sure I have a dialogue with them as well but since I know > > they use Apache Directory LDAP API and (most) the debug logs are from > > `org.apache.directory` trying to understand the behavior of LDAP API > > interacting with Active Directory. > > I would expect many other users of LDAP API facing the same issue with > > AD flag pwdLastSet=0 and if anyone have a solution for it. > > > > Checked the LDAP API source and it says: > > > > /** > > * This error code is returned if the Dn or password used in a > simple bind > > * operation is incorrect, or if the Dn or password is incorrect > for some > > * other reason, e.g. the password has expired. This result code > only > > * applies to Bind operations -- it should not be returned for other > > * operations if the client does not have sufficient permission to > perform > > * the requested operation - in this case the return code should be > > * insufficientAccessRights. Applicable operations: Bind. Result > code type: > > * Specific (Security) > > */ > > INVALID_CREDENTIALS(49, "invalidCredentials"), > > > > Since the user with `pwdLastSet=0` and have a > > "single-password-to-use-to-change-password", I get the feeling of > > INVALID_CREDENTIALS not being the correct error code. > > Any error for a user trying to bind will be treated as a > INVALID_CREDENTIALS, to avoid providing any information that could help > a potential breach of security. > > When pwdLastSet is set to 0, the user is most likely to have to provide > a new password on login (typically for a new user). > > Your product should explicitely deal with such cases, checking the error > AD returns. Sadly, AD encapsulate the code into an error 49, so your > solution provider should deal with that. > > This is explained in this page: > > https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > emmanuel.lecha...@busit.com https://www.busit.com/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: api-unsubscr...@directory.apache.org > For additional commands, e-mail: api-h...@directory.apache.org > >