Hi again,
I noted that when using LdapConnectionTemplate and authenticate(...) it
doesn't return any useful error codes in the exception and no
PasswordWarning.
Shouldn't this scenario return a PasswordWarning?
https://nightlies.apache.org/directory/api/2.0.1/apidocs/org/apache/directory/ldap/client/template/PasswordWarning.html
If I use:
LdapNetworkConnection and connection.bind(...) it returns an LdapException with
message
80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error,
data 773, v3839
where 773 is what is expected.
It feels like LdapConnectionTemplate has a (few) bug(s).
Regards
Joacim
On Tue, May 18, 2021 at 11:03 AM 4 Integration <4integrat...@gmail.com>
wrote:
> Hi again,
>
> I have had a discussion with our vendor but they have difficulties to
> determine the underlying root cause more than error 49
> (INVALID_CREDENTIALS). I made a simple Java application to test this and
> cannot find anything more when debugging the PasswordException.
> Do you have any guidance what to look for?
>
> My authentication method:
>
> ```
> public void authenticate(String uid, String password) {
> String status = "";
> try {
> LdapConnectionConfig config = new LdapConnectionConfig();
> config.setUseSsl(true);
> config.setLdapHost("activedirectory.domain.net");
> config.setLdapPort(636);
> config.setTrustManagers(new NoVerificationTrustManager());
> config.setName(_ldapMgmtUser);
> config.setCredentials(_ldapMgmtPassword);
>
> final DefaultPoolableLdapConnectionFactory factory = new
> DefaultPoolableLdapConnectionFactory(config);
> final LdapConnectionPool pool = new LdapConnectionPool(factory);
> pool.setTestOnBorrow(true);
> final LdapConnectionTemplate ldapConnectionTemplate = new
> LdapConnectionTemplate(pool);
>
> final PasswordWarning warning =
> ldapConnectionTemplate.authenticate(_rootDn, "(sAMAccountName=" + uid + ")",
> SearchScope.SUBTREE, password.toCharArray());
>
> status = "User credentials authenticated";
> if (warning != null) {
> status = status + " \n Warning!!" + warning.toString();
> }
> System.out.println(status);
> } catch (final PasswordException e) {
> System.err.println("############# PasswordException #############");
> status = e.toString();
> e.printStackTrace();
> } catch (Exception e) {
> System.err.println("############# Exception #############");
> e.printStackTrace();
>
> } finally {
> }
> return;
> }
>
> ```
>
> Regards
> Joacim
>
>
>
>
> On Thu, May 6, 2021 at 3:31 PM Emmanuel Lécharny <elecha...@gmail.com>
> wrote:
>
>>
>>
>> On 06/05/2021 14:08, 4 Integration wrote:
>> > @Emmanuel, sure I have a dialogue with them as well but since I know
>> > they use Apache Directory LDAP API and (most) the debug logs are from
>> > `org.apache.directory` trying to understand the behavior of LDAP API
>> > interacting with Active Directory.
>> > I would expect many other users of LDAP API facing the same issue with
>> > AD flag pwdLastSet=0 and if anyone have a solution for it.
>> >
>> > Checked the LDAP API source and it says:
>> >
>> > /**
>> > * This error code is returned if the Dn or password used in a
>> simple bind
>> > * operation is incorrect, or if the Dn or password is incorrect
>> for some
>> > * other reason, e.g. the password has expired. This result code
>> only
>> > * applies to Bind operations -- it should not be returned for
>> other
>> > * operations if the client does not have sufficient permission to
>> perform
>> > * the requested operation - in this case the return code should be
>> > * insufficientAccessRights. Applicable operations: Bind. Result
>> code type:
>> > * Specific (Security)
>> > */
>> > INVALID_CREDENTIALS(49, "invalidCredentials"),
>> >
>> > Since the user with `pwdLastSet=0` and have a
>> > "single-password-to-use-to-change-password", I get the feeling of
>> > INVALID_CREDENTIALS not being the correct error code.
>>
>> Any error for a user trying to bind will be treated as a
>> INVALID_CREDENTIALS, to avoid providing any information that could help
>> a potential breach of security.
>>
>> When pwdLastSet is set to 0, the user is most likely to have to provide
>> a new password on login (typically for a new user).
>>
>> Your product should explicitely deal with such cases, checking the error
>> AD returns. Sadly, AD encapsulate the code into an error 49, so your
>> solution provider should deal with that.
>>
>> This is explained in this page:
>>
>> https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
>>
>> --
>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
>> T. +33 (0)4 89 97 36 50
>> P. +33 (0)6 08 33 32 61
>> emmanuel.lecha...@busit.com https://www.busit.com/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: api-unsubscr...@directory.apache.org
>> For additional commands, e-mail: api-h...@directory.apache.org
>>
>>
