directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lécharny <elecha...@gmail.com>
Subject Re: Force password change on next login with Active Directory
Date Thu, 06 May 2021 11:29:46 GMT
Hi,

I will focus on the important part of your message :

"We are using a commercial IdP product (Curity)"

The best you can do is to ask them about the error you(ve got.




On 06/05/2021 09:43, 4 Integration wrote:
> Hi,
> 
> We are using a commercial IdP product (Curity) which in turn uses
> Apache Directory API and we integrate with our Active Directory (AD).
> When adding new accounts/users in AD we set the flag `pwdLastSet=0`
> (or as in AD "User must change password at next logon") and a default
> password.
> 
> When I try login I get `INVALID_CREDENTIALS` and no indication to
> change password.
> 
> Shouldn't the error be something else to be able to act on it?
> Any other way to handle "Force password change on next logon"?
> 
> Log snippet (more completed logs attached)
> ```
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
> from state <BIND_RESPONSE_STATE> to state <RESULT_CODE_BR_STATE>, tag
> <0x0A>, action : Store resultCode
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.ldap.codec.actions.ldapResult.StoreResultCode
> - MSG_05109_RESULT_CODE_IS (INVALID_CREDENTIALS)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (TAG_STATE_START)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x04)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED
> (0x04)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (LENGTH_STATE_START)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x00)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (LENGTH_STATE_END)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x04)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> MSG_01003_PARENT_LENGTH (TLV expected length stack :  - 92 - 0 - null)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> MSG_01006_LENGTH_DECODED (0)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (TLV_STATE_DONE)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x04)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE
> (TLV0x04(0)-TLV0x61(90)-TLV0x30(0))
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
> from state <RESULT_CODE_BR_STATE> to state <MATCHED_DN_BR_STATE>, tag
> <0x04>, action : Store matched Dn
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.ldap.codec.actions.ldapResult.StoreMatchedDN
> - MSG_05108_MATCHED_DN_IS ()
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (TAG_STATE_START)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x04)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED
> (0x04)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (LENGTH_STATE_START)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x58)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (LENGTH_STATE_END)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x38)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> MSG_01003_PARENT_LENGTH (TLV expected length stack :  - 90 - 0 - null)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> MSG_01006_LENGTH_DECODED (88)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (VALUE_STATE_START)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
> (0x38)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
> (TLV_STATE_DONE)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01014_NO_MORE_BYTE
> ()
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE
> (TLV0x04(88)-TLV0x61(0)-TLV0x30(0))
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
> from state <MATCHED_DN_BR_STATE> to state <ERROR_MESSAGE_BR_STATE>,
> tag <0x04>, action : Store error message
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.ldap.codec.actions.ldapResult.StoreErrorMessage
> - MSG_05106_ERROR_MESSAGE_IS (80090308: LdapErr: DSID-0C090453,
> comment: AcceptSecurityContext error, data 773, v3839)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> MSG_01009_LINE_SEPARATOR3 ()
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> MSG_01015_STOP_DECODING (TLV[ 0x04, 88, DATA[0x38 0x30 0x30 0x39 0x30
> 0x33 0x30 0x38 0x3A 0x20 0x4C 0x64 0x61 0x70 0x45 0x72 0x72 0x3A 0x20
> 0x44 0x53 0x49 0x44 0x2D 0x30 0x43 0x30 0x39 0x30 0x34 0x35 0x33 0x2C
> 0x20 0x63 0x6F 0x6D 0x6D 0x65 0x6E 0x74 0x3A 0x20 0x41 0x63 0x63 0x65
> 0x70 0x74 0x53 0x65 0x63 0x75 0x72 0x69 0x74 0x79 0x43 0x6F 0x6E 0x74
> 0x65 0x78 0x74 0x20 0x65 0x72 0x72 0x6F 0x72 0x2C 0x20 0x64 0x61 0x74
> 0x61 0x20 0x37 0x37 0x33 0x2C 0x20 0x76 0x33 0x38 0x33 0x39 0x00 ]])
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.asn1.ber.Asn1Decoder -
> MSG_01010_LINE_SEPARATOR4 ()
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.api.CODEC_LOG - MSG_14002_DECODED_LDAP_MESSAGE
> (MessageType : BIND_RESPONSE
> Message ID : 21
>      BindResponse
>          Ldap Result
>              Result code : (INVALID_CREDENTIALS) invalidCredentials
>              Matched Dn : ''
>              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> comment: AcceptSecurityContext error, data 773, v3839'
> )
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.ldap.client.api.LdapNetworkConnection -
> MSG_04142_MESSAGE_RECEIVED (MessageType : BIND_RESPONSE
> Message ID : 21
>      BindResponse
>          Ldap Result
>              Result code : (INVALID_CREDENTIALS) invalidCredentials
>              Matched Dn : ''
>              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> comment: AcceptSecurityContext error, data 773, v3839'
> )
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.ldap.client.api.LdapNetworkConnection -
> MSG_04119_GETTING
> (21,org.apache.directory.ldap.client.api.future.BindFuture)
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.ldap.client.api.LdapNetworkConnection -
> MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
> Message ID : 21
>      BindResponse
>          Ldap Result
>              Result code : (INVALID_CREDENTIALS) invalidCredentials
>              Matched Dn : ''
>              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> comment: AcceptSecurityContext error, data 773, v3839'
> )
> 2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
> org.apache.directory.ldap.client.api.LdapNetworkConnection -
> MSG_04126_REMOVING
> (21,org.apache.directory.ldap.client.api.future.BindFuture)
> 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> org.apache.directory.ldap.client.api.LdapNetworkConnection -
> MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
> Message ID : 21
>      BindResponse
>          Ldap Result
>              Result code : (INVALID_CREDENTIALS) invalidCredentials
>              Matched Dn : ''
>              Diagnostic message : '80090308: LdapErr: DSID-0C090453,
> comment: AcceptSecurityContext error, data 773, v3839'
> )
> 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory
> - MSG_04151_PASSIVATING
> (org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273)
> 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory
> - MSG_04172_REBIND_BIND_CONNECTION
> (org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273)
> 2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> org.apache.directory.ldap.client.api.LdapNetworkConnection -
> MSG_04104_SENDING_REQUEST (MessageType : BIND_REQUEST
> Message ID : 22
>      BindRequest
>          Version : '3'
>          Name : 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net'
>          Simple authentication : '(omitted-for-safety)'
> )
> 2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> org.apache.directory.ldap.client.api.LdapNetworkConnection -
> MSG_04106_ADDING
> (22,org.apache.directory.ldap.client.api.future.BindFuture)
> 2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165}
> org.apache.directory.api.CODEC_LOG - MSG_14003_ENCODED_LDAP_MESSAGE
> (MessageType : BIND_REQUEST
> Message ID : 22
>      BindRequest
>          Version : '3'
>          Name : 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net'
>          Simple authentication : '(omitted-for-safety)'
> 
> ```
> / Joacim
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: api-unsubscribe@directory.apache.org
> For additional commands, e-mail: api-help@directory.apache.org
> 

-- 
*Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
T. +33 (0)4 89 97 36 50
P. +33 (0)6 08 33 32 61
emmanuel.lecharny@busit.com https://www.busit.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: api-unsubscribe@directory.apache.org
For additional commands, e-mail: api-help@directory.apache.org


Mime
View raw message