Hi,
Probably because the LDAP error code 49 is a generic authentication failure
error, and does not necessarily imply that credentials are invalids. Real
reason behind the failure may be hidden in a subcode returned within the
error message (in your example "ERR_229", which I think is a real invalid
credentials error in ApacheDS). Unfortunately these "sub-errors" are vendor
specific... for instance some subcodes of error 49 with ActiveDirectory:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
Thus, if you really want to throw meaningful subclasses of
AuthenticationException, you should override JNDI exception handling and
parse the error message according to your LDAP vendor spec.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Can-t-get-JndiLdapRealm-to-throw-IncorrectCredentialsException-tp7578805p7578813.html
Sent from the Shiro User mailing list archive at Nabble.com.
