Re: Force password change on next login with Active Directory
On 19/05/2021 12:26, 4 Integration wrote: Hi again, I noted that when using LdapConnectionTemplate and authenticate(...) it doesn't return any useful error codes in the exception and no PasswordWarning. Shouldn't this scenario return a PasswordWarning? https://nightlies.apache.org/directory/api/2.0.1/apidocs/org/apache/directory/ldap/client/template/PasswordWarning.html This is a class used when PasswordPolicy control is sent. It would not help you in this context. If I use: LdapNetworkConnection and connection.bind(...) it returns an LdapException with message 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 773, v3839 where 773 is what is expected. It feels like LdapConnectionTemplate has a (few) bug(s). So please feel free to fill JIRAs. Thanks -- *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE T. +33 (0)4 89 97 36 50 P. +33 (0)6 08 33 32 61 emmanuel.lecha...@busit.com https://www.busit.com/ - To unsubscribe, e-mail: api-unsubscr...@directory.apache.org For additional commands, e-mail: api-h...@directory.apache.org
Re: Force password change on next login with Active Directory
Hi, On 18/05/2021 11:03, 4 Integration wrote: Hi again, I have had a discussion with our vendor but they have difficulties to determine the underlying root cause more than error 49 (INVALID_CREDENTIALS). I made a simple Java application to test this and cannot find anything more when debugging the PasswordException. Do you have any guidance what to look for? Error 49 is what the server sends you. It get encapsulated into a PasswordException, but teh essence of the error is that: - either your user does not exist, or you have a typo in it - or the password is inccorect - or it has expired - or some password policy rules out the password for some reason (and this is very server specific) Now, the logs provide more information. Typically : Message ID : 21 BindResponse Ldap Result Result code : (INVALID_CREDENTIALS) invalidCredentials Matched Dn : '' Diagnostic message : '80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 773, v3839' ) and if you google that, you get : data 773 : user must reset password -- *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE T. +33 (0)4 89 97 36 50 P. +33 (0)6 08 33 32 61 emmanuel.lecha...@busit.com https://www.busit.com/ - To unsubscribe, e-mail: api-unsubscr...@directory.apache.org For additional commands, e-mail: api-h...@directory.apache.org
Re: Force password change on next login with Active Directory
Hi again, I noted that when using LdapConnectionTemplate and authenticate(...) it doesn't return any useful error codes in the exception and no PasswordWarning. Shouldn't this scenario return a PasswordWarning? https://nightlies.apache.org/directory/api/2.0.1/apidocs/org/apache/directory/ldap/client/template/PasswordWarning.html If I use: LdapNetworkConnection and connection.bind(...) it returns an LdapException with message 80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error, data 773, v3839 where 773 is what is expected. It feels like LdapConnectionTemplate has a (few) bug(s). Regards Joacim On Tue, May 18, 2021 at 11:03 AM 4 Integration <4integrat...@gmail.com> wrote: > Hi again, > > I have had a discussion with our vendor but they have difficulties to > determine the underlying root cause more than error 49 > (INVALID_CREDENTIALS). I made a simple Java application to test this and > cannot find anything more when debugging the PasswordException. > Do you have any guidance what to look for? > > My authentication method: > > ``` > public void authenticate(String uid, String password) { > String status = ""; > try { > LdapConnectionConfig config = new LdapConnectionConfig(); > config.setUseSsl(true); > config.setLdapHost("activedirectory.domain.net"); > config.setLdapPort(636); > config.setTrustManagers(new NoVerificationTrustManager()); > config.setName(_ldapMgmtUser); > config.setCredentials(_ldapMgmtPassword); > > final DefaultPoolableLdapConnectionFactory factory = new > DefaultPoolableLdapConnectionFactory(config); > final LdapConnectionPool pool = new LdapConnectionPool(factory); > pool.setTestOnBorrow(true); > final LdapConnectionTemplate ldapConnectionTemplate = new > LdapConnectionTemplate(pool); > > final PasswordWarning warning = > ldapConnectionTemplate.authenticate(_rootDn, "(sAMAccountName=" + uid + ")", > SearchScope.SUBTREE, password.toCharArray()); > > status = "User credentials authenticated"; > if (warning != null) { > status = status + " \n Warning!!" + warning.toString(); > } > System.out.println(status); > } catch (final PasswordException e) { > System.err.println("# PasswordException #"); > status = e.toString(); > e.printStackTrace(); > } catch (Exception e) { > System.err.println("# Exception #"); > e.printStackTrace(); > > } finally { > } > return; > } > > ``` > > Regards > Joacim > > > > > On Thu, May 6, 2021 at 3:31 PM Emmanuel Lécharny > wrote: > >> >> >> On 06/05/2021 14:08, 4 Integration wrote: >> > @Emmanuel, sure I have a dialogue with them as well but since I know >> > they use Apache Directory LDAP API and (most) the debug logs are from >> > `org.apache.directory` trying to understand the behavior of LDAP API >> > interacting with Active Directory. >> > I would expect many other users of LDAP API facing the same issue with >> > AD flag pwdLastSet=0 and if anyone have a solution for it. >> > >> > Checked the LDAP API source and it says: >> > >> > /** >> > * This error code is returned if the Dn or password used in a >> simple bind >> > * operation is incorrect, or if the Dn or password is incorrect >> for some >> > * other reason, e.g. the password has expired. This result code >> only >> > * applies to Bind operations -- it should not be returned for >> other >> > * operations if the client does not have sufficient permission to >> perform >> > * the requested operation - in this case the return code should be >> > * insufficientAccessRights. Applicable operations: Bind. Result >> code type: >> > * Specific (Security) >> > */ >> > INVALID_CREDENTIALS(49, "invalidCredentials"), >> > >> > Since the user with `pwdLastSet=0` and have a >> > "single-password-to-use-to-change-password", I get the feeling of >> > INVALID_CREDENTIALS not being the correct error code. >> >> Any error for a user trying to bind will be treated as a >> INVALID_CREDENTIALS, to avoid providing any information that could help >> a potential breach of security. >> >> When pwdLastSet is set to 0, the user is most likely to have to provide >> a new password on login (typically for a new user). >> >> Your product should explicitely deal with such cases, checking the error >> AD returns. Sadly, AD encapsulate the code into an error 49, so your >> solution provider should deal with that. >> >> This is explained in this page: >> >> https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors >> >> -- >> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE >> T. +33 (0)4 89 97 36 50 >> P. +33 (0)6 08 33 32 61 >> emmanuel.lecha...@busit.com https://www.busit.com/ >> >> - >> To unsubscribe, e-mail: api-unsubscr...@directory.apache.org >> For additional commands, e-mail: api-h...@directory.apache.org >> >>
Re: Force password change on next login with Active Directory
Hi again, I have had a discussion with our vendor but they have difficulties to determine the underlying root cause more than error 49 (INVALID_CREDENTIALS). I made a simple Java application to test this and cannot find anything more when debugging the PasswordException. Do you have any guidance what to look for? My authentication method: ``` public void authenticate(String uid, String password) { String status = ""; try { LdapConnectionConfig config = new LdapConnectionConfig(); config.setUseSsl(true); config.setLdapHost("activedirectory.domain.net"); config.setLdapPort(636); config.setTrustManagers(new NoVerificationTrustManager()); config.setName(_ldapMgmtUser); config.setCredentials(_ldapMgmtPassword); final DefaultPoolableLdapConnectionFactory factory = new DefaultPoolableLdapConnectionFactory(config); final LdapConnectionPool pool = new LdapConnectionPool(factory); pool.setTestOnBorrow(true); final LdapConnectionTemplate ldapConnectionTemplate = new LdapConnectionTemplate(pool); final PasswordWarning warning = ldapConnectionTemplate.authenticate(_rootDn, "(sAMAccountName=" + uid + ")", SearchScope.SUBTREE, password.toCharArray()); status = "User credentials authenticated"; if (warning != null) { status = status + " \n Warning!!" + warning.toString(); } System.out.println(status); } catch (final PasswordException e) { System.err.println("# PasswordException #"); status = e.toString(); e.printStackTrace(); } catch (Exception e) { System.err.println("# Exception #"); e.printStackTrace(); } finally { } return; } ``` Regards Joacim On Thu, May 6, 2021 at 3:31 PM Emmanuel Lécharny wrote: > > > On 06/05/2021 14:08, 4 Integration wrote: > > @Emmanuel, sure I have a dialogue with them as well but since I know > > they use Apache Directory LDAP API and (most) the debug logs are from > > `org.apache.directory` trying to understand the behavior of LDAP API > > interacting with Active Directory. > > I would expect many other users of LDAP API facing the same issue with > > AD flag pwdLastSet=0 and if anyone have a solution for it. > > > > Checked the LDAP API source and it says: > > > > /** > > * This error code is returned if the Dn or password used in a > simple bind > > * operation is incorrect, or if the Dn or password is incorrect > for some > > * other reason, e.g. the password has expired. This result code > only > > * applies to Bind operations -- it should not be returned for other > > * operations if the client does not have sufficient permission to > perform > > * the requested operation - in this case the return code should be > > * insufficientAccessRights. Applicable operations: Bind. Result > code type: > > * Specific (Security) > > */ > > INVALID_CREDENTIALS(49, "invalidCredentials"), > > > > Since the user with `pwdLastSet=0` and have a > > "single-password-to-use-to-change-password", I get the feeling of > > INVALID_CREDENTIALS not being the correct error code. > > Any error for a user trying to bind will be treated as a > INVALID_CREDENTIALS, to avoid providing any information that could help > a potential breach of security. > > When pwdLastSet is set to 0, the user is most likely to have to provide > a new password on login (typically for a new user). > > Your product should explicitely deal with such cases, checking the error > AD returns. Sadly, AD encapsulate the code into an error 49, so your > solution provider should deal with that. > > This is explained in this page: > > https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors > > -- > *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE > T. +33 (0)4 89 97 36 50 > P. +33 (0)6 08 33 32 61 > emmanuel.lecha...@busit.com https://www.busit.com/ > > - > To unsubscribe, e-mail: api-unsubscr...@directory.apache.org > For additional commands, e-mail: api-h...@directory.apache.org > >
Re: Force password change on next login with Active Directory
On 06/05/2021 14:08, 4 Integration wrote: @Emmanuel, sure I have a dialogue with them as well but since I know they use Apache Directory LDAP API and (most) the debug logs are from `org.apache.directory` trying to understand the behavior of LDAP API interacting with Active Directory. I would expect many other users of LDAP API facing the same issue with AD flag pwdLastSet=0 and if anyone have a solution for it. Checked the LDAP API source and it says: /** * This error code is returned if the Dn or password used in a simple bind * operation is incorrect, or if the Dn or password is incorrect for some * other reason, e.g. the password has expired. This result code only * applies to Bind operations -- it should not be returned for other * operations if the client does not have sufficient permission to perform * the requested operation - in this case the return code should be * insufficientAccessRights. Applicable operations: Bind. Result code type: * Specific (Security) */ INVALID_CREDENTIALS(49, "invalidCredentials"), Since the user with `pwdLastSet=0` and have a "single-password-to-use-to-change-password", I get the feeling of INVALID_CREDENTIALS not being the correct error code. Any error for a user trying to bind will be treated as a INVALID_CREDENTIALS, to avoid providing any information that could help a potential breach of security. When pwdLastSet is set to 0, the user is most likely to have to provide a new password on login (typically for a new user). Your product should explicitely deal with such cases, checking the error AD returns. Sadly, AD encapsulate the code into an error 49, so your solution provider should deal with that. This is explained in this page: https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors -- *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE T. +33 (0)4 89 97 36 50 P. +33 (0)6 08 33 32 61 emmanuel.lecha...@busit.com https://www.busit.com/ - To unsubscribe, e-mail: api-unsubscr...@directory.apache.org For additional commands, e-mail: api-h...@directory.apache.org
Re: Force password change on next login with Active Directory
@Emmanuel, sure I have a dialogue with them as well but since I know they use Apache Directory LDAP API and (most) the debug logs are from `org.apache.directory` trying to understand the behavior of LDAP API interacting with Active Directory. I would expect many other users of LDAP API facing the same issue with AD flag pwdLastSet=0 and if anyone have a solution for it. Checked the LDAP API source and it says: /** * This error code is returned if the Dn or password used in a simple bind * operation is incorrect, or if the Dn or password is incorrect for some * other reason, e.g. the password has expired. This result code only * applies to Bind operations -- it should not be returned for other * operations if the client does not have sufficient permission to perform * the requested operation - in this case the return code should be * insufficientAccessRights. Applicable operations: Bind. Result code type: * Specific (Security) */ INVALID_CREDENTIALS(49, "invalidCredentials"), Since the user with `pwdLastSet=0` and have a "single-password-to-use-to-change-password", I get the feeling of INVALID_CREDENTIALS not being the correct error code. Tested to run an application on Windows, it didn't work but at least the error code is much more clear C:\>runas /u:OUR_DOMAIN\dft9000 notepad.exe Enter the password for OUR_DOMAIN\dft9000: Attempting to start notepad.exe as user "OUR_DOMAIN\dft9000" ... RUNAS ERROR: Unable to run - notepad.exe 1907: The user's password must be changed before signing in. Regards Joacim On Thu, May 6, 2021 at 1:29 PM Emmanuel Lécharny wrote: > > Hi, > > I will focus on the important part of your message : > > "We are using a commercial IdP product (Curity)" > > The best you can do is to ask them about the error you(ve got. > > > > > On 06/05/2021 09:43, 4 Integration wrote: > > Hi, > > > > We are using a commercial IdP product (Curity) which in turn uses > > Apache Directory API and we integrate with our Active Directory (AD). > > When adding new accounts/users in AD we set the flag `pwdLastSet=0` > > (or as in AD "User must change password at next logon") and a default > > password. > > > > When I try login I get `INVALID_CREDENTIALS` and no indication to > > change password. > > > > Shouldn't the error be something else to be able to act on it? > > Any other way to handle "Force password change on next logon"? > > > > Log snippet (more completed logs attached) > > ``` > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition > > from state to state , tag > > <0x0A>, action : Store resultCode > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.ldap.codec.actions.ldapResult.StoreResultCode > > - MSG_05109_RESULT_CODE_IS (INVALID_CREDENTIALS) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (TAG_STATE_START) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (LENGTH_STATE_START) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x00) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (LENGTH_STATE_END) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01003_PARENT_LENGTH (TLV expected length stack : - 92 - 0 - null) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - > > MSG_01006_LENGTH_DECODED (0) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE > > (TLV_STATE_DONE) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE > > (0x04) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE > > (TLV0x04(0)-TLV0x61(90)-TLV0x30(0)) > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > > org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition > > from state to state , tag > > <0x04>, action : Store matched Dn > > 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} > >
Re: Force password change on next login with Active Directory
Hi, I will focus on the important part of your message : "We are using a commercial IdP product (Curity)" The best you can do is to ask them about the error you(ve got. On 06/05/2021 09:43, 4 Integration wrote: Hi, We are using a commercial IdP product (Curity) which in turn uses Apache Directory API and we integrate with our Active Directory (AD). When adding new accounts/users in AD we set the flag `pwdLastSet=0` (or as in AD "User must change password at next logon") and a default password. When I try login I get `INVALID_CREDENTIALS` and no indication to change password. Shouldn't the error be something else to be able to act on it? Any other way to handle "Force password change on next logon"? Log snippet (more completed logs attached) ``` 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition from state to state , tag <0x0A>, action : Store resultCode 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.ldap.codec.actions.ldapResult.StoreResultCode - MSG_05109_RESULT_CODE_IS (INVALID_CREDENTIALS) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TAG_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x00) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_END) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01003_PARENT_LENGTH (TLV expected length stack : - 92 - 0 - null) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01006_LENGTH_DECODED (0) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TLV_STATE_DONE) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE (TLV0x04(0)-TLV0x61(90)-TLV0x30(0)) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition from state to state , tag <0x04>, action : Store matched Dn 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.ldap.codec.actions.ldapResult.StoreMatchedDN - MSG_05108_MATCHED_DN_IS () 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TAG_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x58) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_END) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x38) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01003_PARENT_LENGTH (TLV expected length stack : - 90 - 0 - null) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01006_LENGTH_DECODED (88) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (VALUE_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x38) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TLV_STATE_DONE) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01014_NO_MORE_BYTE () 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1}
Force password change on next login with Active Directory
Hi, We are using a commercial IdP product (Curity) which in turn uses Apache Directory API and we integrate with our Active Directory (AD). When adding new accounts/users in AD we set the flag `pwdLastSet=0` (or as in AD "User must change password at next logon") and a default password. When I try login I get `INVALID_CREDENTIALS` and no indication to change password. Shouldn't the error be something else to be able to act on it? Any other way to handle "Force password change on next logon"? Log snippet (more completed logs attached) ``` 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition from state to state , tag <0x0A>, action : Store resultCode 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.ldap.codec.actions.ldapResult.StoreResultCode - MSG_05109_RESULT_CODE_IS (INVALID_CREDENTIALS) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TAG_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x00) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_END) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01003_PARENT_LENGTH (TLV expected length stack : - 92 - 0 - null) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01006_LENGTH_DECODED (0) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TLV_STATE_DONE) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE (TLV0x04(0)-TLV0x61(90)-TLV0x30(0)) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition from state to state , tag <0x04>, action : Store matched Dn 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.ldap.codec.actions.ldapResult.StoreMatchedDN - MSG_05108_MATCHED_DN_IS () 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TAG_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED (0x04) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x58) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (LENGTH_STATE_END) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x38) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01003_PARENT_LENGTH (TLV expected length stack : - 90 - 0 - null) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01006_LENGTH_DECODED (88) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (VALUE_STATE_START) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE (0x38) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE (TLV_STATE_DONE) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01014_NO_MORE_BYTE () 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE (TLV0x04(88)-TLV0x61(0)-TLV0x30(0)) 2021-05-05T15:31:15:781+0200 DEBUG {NioProcessor-1} org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition from state to state ,