[
https://issues.apache.org/jira/browse/GUACAMOLE-1296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479656#comment-17479656
]
Nick Couchman commented on GUACAMOLE-1296:
------------------------------------------
[~GaryV]: When LDAP returns 773, it's not _just_ returning 773, it's also
returning an authentication failure (49 INVALID CREDENTIALS). To allow
authentication to proceed when LDAP has sent back authentication failure, no
matter what the reason code in the message, doesn't sound like a good idea to
me. I'm pretty firmly opposed to this - both in principal, but also because I
think such a method could introduce risk that this would be used as an attack
vector by malicious users trying to brute force a system by figuring out what
accounts are being rejected by just requiring a password change.
Furthermore, this isn't a problem unique to Guacamole - I did a fair amount of
searching around to see if there were other solutions to this, and it seems
like Microsoft just does not support initial password changes over LDAP - you
have to be using either Windows or something like SSPR/ADFS to accomplish this.
It's obnoxious, and Microsoft should do something to support enforced password
changes over LDAP, but they don't.
> Add support for LDAP/AD password expiration and reset
> -----------------------------------------------------
>
> Key: GUACAMOLE-1296
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1296
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole-auth-ldap
> Affects Versions: 1.3.0
> Reporter: Gary V
> Priority: Minor
>
> Guacamole login fails when a user is required to set a new AD password after
> first login.
> When a user logs in, AD returns code 773, which implies the authorization is
> correct but a new password must be set immediately in the remote session.
> Guacamole login fails.
>
> Hint from catalina.out:
> {{Message ID : 1}}
> \{{ BindResponse}}
> \{{ Ldap Result}}
> \{{ Result code : (INVALID_CREDENTIALS) invalidCredentials}}
> \{{ Matched Dn : ''}}
> \{{ Diagnostic message : '80090308: LdapErr: DSID-0C090439, comment:
> AcceptSecurityContext error, data 773, v4563^@'}}
>
> Edit some hours later:
> I was able to workaround the problem by setting the password of the users
> account to the same default password as set in AD. Then the login succeeded,
> Windows forced the user to change password, and the user was then able to
> login with the new username/password combo.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
