[jira] [Commented] (GUACAMOLE-1296) Add support for LDAP/AD password expiration and reset

Thu, 30 Dec 2021 19:41:06 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17467088#comment-17467088
 ] 

Nick Couchman commented on GUACAMOLE-1296:
------------------------------------------

[~GaryV]: I'm not sure that this is possible, based on the error messages 
you've provided and some research that I've done. In particular, LDAP is 
returning result code 49, INVALID CREDENTIALS, when this password change is 
required. While it returns an error indicating that the password needs to be 
changed (773), the bind is still failing.

I've yet to find a solution that allows for changing an Active Directory user's 
password via LDAP when it is forced at the next logon. If someone else is aware 
of a way to do this over LDAP, feel free to update things, here.

> Add support for LDAP/AD password expiration and reset
> -----------------------------------------------------
>
>                 Key: GUACAMOLE-1296
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1296
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.3.0
>            Reporter: Gary V
>            Priority: Minor
>
> Guacamole login fails when a user is required to set a new AD password after 
> first login.
> When a user logs in, AD returns code 773, which implies the authorization is 
> correct but a new password must be set immediately in the remote session.
> Guacamole login fails.
>  
> Hint from catalina.out:
> {{Message ID : 1}}
>  \{{ BindResponse}}
>  \{{ Ldap Result}}
>  \{{ Result code : (INVALID_CREDENTIALS) invalidCredentials}}
>  \{{ Matched Dn : ''}}
>  \{{ Diagnostic message : '80090308: LdapErr: DSID-0C090439, comment: 
> AcceptSecurityContext error, data 773, v4563^@'}}
>  
> Edit some hours later:
> I was able to workaround the problem by setting the password of the users 
> account to the same default password as set in AD. Then the login succeeded, 
> Windows forced the user to change password, and the user was then able to 
> login with the new username/password combo.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to