Hi again,
I have had a discussion with our vendor but they have difficulties to
determine the underlying root cause more than error 49
(INVALID_CREDENTIALS). I made a simple Java application to test this and
cannot find anything more when debugging the PasswordException.
Do you have any guidance what to look for?
My authentication method:
```
public void authenticate(String uid, String password) {
String status = "";
try {
LdapConnectionConfig config = new LdapConnectionConfig();
config.setUseSsl(true);
config.setLdapHost("activedirectory.domain.net");
config.setLdapPort(636);
config.setTrustManagers(new NoVerificationTrustManager());
config.setName(_ldapMgmtUser);
config.setCredentials(_ldapMgmtPassword);
final DefaultPoolableLdapConnectionFactory factory = new
DefaultPoolableLdapConnectionFactory(config);
final LdapConnectionPool pool = new LdapConnectionPool(factory);
pool.setTestOnBorrow(true);
final LdapConnectionTemplate ldapConnectionTemplate = new
LdapConnectionTemplate(pool);
final PasswordWarning warning =
ldapConnectionTemplate.authenticate(_rootDn, "(sAMAccountName=" + uid + ")",
SearchScope.SUBTREE, password.toCharArray());
status = "User credentials authenticated";
if (warning != null) {
status = status + " \n Warning!!" + warning.toString();
}
System.out.println(status);
} catch (final PasswordException e) {
System.err.println("############# PasswordException #############");
status = e.toString();
e.printStackTrace();
} catch (Exception e) {
System.err.println("############# Exception #############");
e.printStackTrace();
} finally {
}
return;
}
```
Regards
Joacim
On Thu, May 6, 2021 at 3:31 PM Emmanuel Lécharny <elecha...@gmail.com>
wrote:
>
>
> On 06/05/2021 14:08, 4 Integration wrote:
> > @Emmanuel, sure I have a dialogue with them as well but since I know
> > they use Apache Directory LDAP API and (most) the debug logs are from
> > `org.apache.directory` trying to understand the behavior of LDAP API
> > interacting with Active Directory.
> > I would expect many other users of LDAP API facing the same issue with
> > AD flag pwdLastSet=0 and if anyone have a solution for it.
> >
> > Checked the LDAP API source and it says:
> >
> > /**
> > * This error code is returned if the Dn or password used in a
> simple bind
> > * operation is incorrect, or if the Dn or password is incorrect
> for some
> > * other reason, e.g. the password has expired. This result code
> only
> > * applies to Bind operations -- it should not be returned for other
> > * operations if the client does not have sufficient permission to
> perform
> > * the requested operation - in this case the return code should be
> > * insufficientAccessRights. Applicable operations: Bind. Result
> code type:
> > * Specific (Security)
> > */
> > INVALID_CREDENTIALS(49, "invalidCredentials"),
> >
> > Since the user with `pwdLastSet=0` and have a
> > "single-password-to-use-to-change-password", I get the feeling of
> > INVALID_CREDENTIALS not being the correct error code.
>
> Any error for a user trying to bind will be treated as a
> INVALID_CREDENTIALS, to avoid providing any information that could help
> a potential breach of security.
>
> When pwdLastSet is set to 0, the user is most likely to have to provide
> a new password on login (typically for a new user).
>
> Your product should explicitely deal with such cases, checking the error
> AD returns. Sadly, AD encapsulate the code into an error 49, so your
> solution provider should deal with that.
>
> This is explained in this page:
>
> https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
>
> --
> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
> T. +33 (0)4 89 97 36 50
> P. +33 (0)6 08 33 32 61
> emmanuel.lecha...@busit.com https://www.busit.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: api-unsubscr...@directory.apache.org
> For additional commands, e-mail: api-h...@directory.apache.org
>
>
