directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Force password change on next login with Active Directory
Date Thu, 06 May 2021 13:31:19 GMT


On 06/05/2021 14:08, 4 Integration wrote:
> @Emmanuel, sure I have a dialogue with them as well but since I know
> they use Apache Directory LDAP API and (most) the debug logs are from
> `org.apache.directory` trying to understand the behavior of LDAP API
> interacting with Active Directory.
> I would expect many other users of LDAP API facing the same issue with
> AD flag pwdLastSet=0 and if anyone have a solution for it.
> 
> Checked the LDAP API source and it says:
> 
>      /**
>       * This error code is returned if the Dn or password used in a simple bind
>       * operation is incorrect, or if the Dn or password is incorrect for some
>       * other reason, e.g. the password has expired. This result code only
>       * applies to Bind operations -- it should not be returned for other
>       * operations if the client does not have sufficient permission to perform
>       * the requested operation - in this case the return code should be
>       * insufficientAccessRights. Applicable operations: Bind. Result code type:
>       * Specific (Security)
>       */
>      INVALID_CREDENTIALS(49, "invalidCredentials"),
> 
> Since the user with `pwdLastSet=0` and have a
> "single-password-to-use-to-change-password", I get the feeling of
> INVALID_CREDENTIALS not being the correct error code.

Any error for a user trying to bind will be treated as a 
INVALID_CREDENTIALS, to avoid providing any information that could help 
a potential breach of security.

When pwdLastSet is set to 0, the user is most likely to have to provide 
a new password on login (typically for a new user).

Your product should explicitely deal with such cases, checking the error 
AD returns. Sadly, AD encapsulate the code into an error 49, so your 
solution provider should deal with that.

This is explained in this page:

https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors

-- 
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: api-unsubscribe@directory.apache.org
For additional commands, e-mail: api-help@directory.apache.org


Mime
View raw message