Hi again, I noted that when using LdapConnectionTemplate and authenticate(...) it doesn't return any useful error codes in the exception and no PasswordWarning. Shouldn't this scenario return a PasswordWarning? https://nightlies.apache.org/directory/api/2.0.1/apidocs/org/apache/directory/ldap/client/template/PasswordWarning.html
If I use: LdapNetworkConnection and connection.bind(...) it returns an LdapException with message 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 773, v3839 where 773 is what is expected. It feels like LdapConnectionTemplate has a (few) bug(s). Regards Joacim On Tue, May 18, 2021 at 11:03 AM 4 Integration <4integrat...@gmail.com> wrote: > Hi again, > > I have had a discussion with our vendor but they have difficulties to > determine the underlying root cause more than error 49 > (INVALID_CREDENTIALS). I made a simple Java application to test this and > cannot find anything more when debugging the PasswordException. > Do you have any guidance what to look for? > > My authentication method: > > ``` > public void authenticate(String uid, String password) { > String status = ""; > try { > LdapConnectionConfig config = new LdapConnectionConfig(); > config.setUseSsl(true); > config.setLdapHost("activedirectory.domain.net"); > config.setLdapPort(636); > config.setTrustManagers(new NoVerificationTrustManager()); > config.setName(_ldapMgmtUser); > config.setCredentials(_ldapMgmtPassword); > > final DefaultPoolableLdapConnectionFactory factory = new > DefaultPoolableLdapConnectionFactory(config); > final LdapConnectionPool pool = new LdapConnectionPool(factory); > pool.setTestOnBorrow(true); > final LdapConnectionTemplate ldapConnectionTemplate = new > LdapConnectionTemplate(pool); > > final PasswordWarning warning = > ldapConnectionTemplate.authenticate(_rootDn, "(sAMAccountName=" + uid + ")", > SearchScope.SUBTREE, password.toCharArray()); > > status = "User credentials authenticated"; > if (warning != null) { > status = status + " \n Warning!!" + warning.toString(); > } > System.out.println(status); > } catch (final PasswordException e) { > System.err.println("############# PasswordException #############"); > status = e.toString(); > e.printStackTrace(); > } catch (Exception e) { > System.err.println("############# Exception #############"); > e.printStackTrace(); > > } finally { > } > return; > } > > ``` > > Regards > Joacim > > > > > On Thu, May 6, 2021 at 3:31 PM Emmanuel Lécharny <elecha...@gmail.com> > wrote: > >> >> >> On 06/05/2021 14:08, 4 Integration wrote: >> > @Emmanuel, sure I have a dialogue with them as well but since I know >> > they use Apache Directory LDAP API and (most) the debug logs are from >> > `org.apache.directory` trying to understand the behavior of LDAP API >> > interacting with Active Directory. >> > I would expect many other users of LDAP API facing the same issue with >> > AD flag pwdLastSet=0 and if anyone have a solution for it. >> > >> > Checked the LDAP API source and it says: >> > >> > /** >> > * This error code is returned if the Dn or password used in a >> simple bind >> > * operation is incorrect, or if the Dn or password is incorrect >> for some >> > * other reason, e.g. the password has expired. This result code >> only >> > * applies to Bind operations -- it should not be returned for >> other >> > * operations if the client does not have sufficient permission to >> perform >> > * the requested operation - in this case the return code should be >> > * insufficientAccessRights. Applicable operations: Bind. Result >> code type: >> > * Specific (Security) >> > */ >> > INVALID_CREDENTIALS(49, "invalidCredentials"), >> > >> > Since the user with `pwdLastSet=0` and have a >> > "single-password-to-use-to-change-password", I get the feeling of >> > INVALID_CREDENTIALS not being the correct error code. >> >> Any error for a user trying to bind will be treated as a >> INVALID_CREDENTIALS, to avoid providing any information that could help >> a potential breach of security. >> >> When pwdLastSet is set to 0, the user is most likely to have to provide >> a new password on login (typically for a new user). >> >> Your product should explicitely deal with such cases, checking the error >> AD returns. Sadly, AD encapsulate the code into an error 49, so your >> solution provider should deal with that. >> >> This is explained in this page: >> >> https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors >> >> -- >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE >> T. +33 (0)4 89 97 36 50 >> P. +33 (0)6 08 33 32 61 >> emmanuel.lecha...@busit.com https://www.busit.com/ >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: api-unsubscr...@directory.apache.org >> For additional commands, e-mail: api-h...@directory.apache.org >> >>