[jira] [Commented] (GUACAMOLE-1296) Add support for LDAP/AD password expiration and reset

Thu, 20 Jan 2022 10:31:34 -0800 


    [ 
https://issues.apache.org/jira/browse/GUACAMOLE-1296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479582#comment-17479582
 ] 

Gary V commented on GUACAMOLE-1296:
-----------------------------------

[~vnick] :

Sorry for this late response.

The wording of my bugreport was altered, that kind of changed my whole 
message... :)

My idea is that this errorcode 773 should be accepted as having given the 
correct credentials; errorcode 52e is INVALID_CREDENTIALS. When the rdp-session 
is then started, windows itself will present a change-password screen.

As i write this, i must admit i'm not using nla, but rdp auth because i cant 
get nla working with the openid-module, but thats a different issue :P

The workaround I used, which was setting the users temporary password to both 
the users account in Windows as the users account in the sql-database, works 
because the ldap-module fails on the error 773, after which it falls back to 
sql, and then the same credentials are accepted.

[https://dotcms.com/docs/latest/active-directory-error-codes|http://example.com/]

> Add support for LDAP/AD password expiration and reset
> -----------------------------------------------------
>
>                 Key: GUACAMOLE-1296
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1296
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.3.0
>            Reporter: Gary V
>            Priority: Minor
>
> Guacamole login fails when a user is required to set a new AD password after 
> first login.
> When a user logs in, AD returns code 773, which implies the authorization is 
> correct but a new password must be set immediately in the remote session.
> Guacamole login fails.
>  
> Hint from catalina.out:
> {{Message ID : 1}}
>  \{{ BindResponse}}
>  \{{ Ldap Result}}
>  \{{ Result code : (INVALID_CREDENTIALS) invalidCredentials}}
>  \{{ Matched Dn : ''}}
>  \{{ Diagnostic message : '80090308: LdapErr: DSID-0C090439, comment: 
> AcceptSecurityContext error, data 773, v4563^@'}}
>  
> Edit some hours later:
> I was able to workaround the problem by setting the password of the users 
> account to the same default password as set in AD. Then the login succeeded, 
> Windows forced the user to change password, and the user was then able to 
> login with the new username/password combo.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to