directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 4 Integration <4integrat...@gmail.com>
Subject Force password change on next login with Active Directory
Date Thu, 06 May 2021 07:43:59 GMT
Hi,

We are using a commercial IdP product (Curity) which in turn uses
Apache Directory API and we integrate with our Active Directory (AD).
When adding new accounts/users in AD we set the flag `pwdLastSet=0`
(or as in AD "User must change password at next logon") and a default
password.

When I try login I get `INVALID_CREDENTIALS` and no indication to
change password.

Shouldn't the error be something else to be able to act on it?
Any other way to handle "Force password change on next logon"?

Log snippet (more completed logs attached)
```
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
from state <BIND_RESPONSE_STATE> to state <RESULT_CODE_BR_STATE>, tag
<0x0A>, action : Store resultCode
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.ldap.codec.actions.ldapResult.StoreResultCode
- MSG_05109_RESULT_CODE_IS (INVALID_CREDENTIALS)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(TAG_STATE_START)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x04)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED
(0x04)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(LENGTH_STATE_START)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x00)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(LENGTH_STATE_END)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x04)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder -
MSG_01003_PARENT_LENGTH (TLV expected length stack :  - 92 - 0 - null)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder -
MSG_01006_LENGTH_DECODED (0)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(TLV_STATE_DONE)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x04)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE
(TLV0x04(0)-TLV0x61(90)-TLV0x30(0))
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
from state <RESULT_CODE_BR_STATE> to state <MATCHED_DN_BR_STATE>, tag
<0x04>, action : Store matched Dn
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.ldap.codec.actions.ldapResult.StoreMatchedDN
- MSG_05108_MATCHED_DN_IS ()
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(TAG_STATE_START)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x04)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01000_TAG_DECODED
(0x04)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(LENGTH_STATE_START)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x58)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(LENGTH_STATE_END)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x38)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder -
MSG_01003_PARENT_LENGTH (TLV expected length stack :  - 90 - 0 - null)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder -
MSG_01006_LENGTH_DECODED (88)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(VALUE_STATE_START)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01013_CURRENT_BYTE
(0x38)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01012_STATE
(TLV_STATE_DONE)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01014_NO_MORE_BYTE
()
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder - MSG_01001_TLV_TREE
(TLV0x04(88)-TLV0x61(0)-TLV0x30(0))
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.grammar.AbstractGrammar - Transition
from state <MATCHED_DN_BR_STATE> to state <ERROR_MESSAGE_BR_STATE>,
tag <0x04>, action : Store error message
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.ldap.codec.actions.ldapResult.StoreErrorMessage
- MSG_05106_ERROR_MESSAGE_IS (80090308: LdapErr: DSID-0C090453,
comment: AcceptSecurityContext error, data 773, v3839)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder -
MSG_01009_LINE_SEPARATOR3 ()
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder -
MSG_01015_STOP_DECODING (TLV[ 0x04, 88, DATA[0x38 0x30 0x30 0x39 0x30
0x33 0x30 0x38 0x3A 0x20 0x4C 0x64 0x61 0x70 0x45 0x72 0x72 0x3A 0x20
0x44 0x53 0x49 0x44 0x2D 0x30 0x43 0x30 0x39 0x30 0x34 0x35 0x33 0x2C
0x20 0x63 0x6F 0x6D 0x6D 0x65 0x6E 0x74 0x3A 0x20 0x41 0x63 0x63 0x65
0x70 0x74 0x53 0x65 0x63 0x75 0x72 0x69 0x74 0x79 0x43 0x6F 0x6E 0x74
0x65 0x78 0x74 0x20 0x65 0x72 0x72 0x6F 0x72 0x2C 0x20 0x64 0x61 0x74
0x61 0x20 0x37 0x37 0x33 0x2C 0x20 0x76 0x33 0x38 0x33 0x39 0x00 ]])
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.asn1.ber.Asn1Decoder -
MSG_01010_LINE_SEPARATOR4 ()
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.api.CODEC_LOG - MSG_14002_DECODED_LDAP_MESSAGE
(MessageType : BIND_RESPONSE
Message ID : 21
    BindResponse
        Ldap Result
            Result code : (INVALID_CREDENTIALS) invalidCredentials
            Matched Dn : ''
            Diagnostic message : '80090308: LdapErr: DSID-0C090453,
comment: AcceptSecurityContext error, data 773, v3839'
)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.ldap.client.api.LdapNetworkConnection -
MSG_04142_MESSAGE_RECEIVED (MessageType : BIND_RESPONSE
Message ID : 21
    BindResponse
        Ldap Result
            Result code : (INVALID_CREDENTIALS) invalidCredentials
            Matched Dn : ''
            Diagnostic message : '80090308: LdapErr: DSID-0C090453,
comment: AcceptSecurityContext error, data 773, v3839'
)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.ldap.client.api.LdapNetworkConnection -
MSG_04119_GETTING
(21,org.apache.directory.ldap.client.api.future.BindFuture)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.ldap.client.api.LdapNetworkConnection -
MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
Message ID : 21
    BindResponse
        Ldap Result
            Result code : (INVALID_CREDENTIALS) invalidCredentials
            Matched Dn : ''
            Diagnostic message : '80090308: LdapErr: DSID-0C090453,
comment: AcceptSecurityContext error, data 773, v3839'
)
2021-05-05T15:31:15:781+0200 DEBUG   {NioProcessor-1}
org.apache.directory.ldap.client.api.LdapNetworkConnection -
MSG_04126_REMOVING
(21,org.apache.directory.ldap.client.api.future.BindFuture)
2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
org.apache.directory.ldap.client.api.LdapNetworkConnection -
MSG_04100_BIND_FAIL (MessageType : BIND_RESPONSE
Message ID : 21
    BindResponse
        Ldap Result
            Result code : (INVALID_CREDENTIALS) invalidCredentials
            Matched Dn : ''
            Diagnostic message : '80090308: LdapErr: DSID-0C090453,
comment: AcceptSecurityContext error, data 773, v3839'
)
2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory
- MSG_04151_PASSIVATING
(org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273)
2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory
- MSG_04172_REBIND_BIND_CONNECTION
(org.apache.directory.ldap.client.api.MonitoringLdapConnection@3dfb273)
2021-05-05T15:31:15:781+0200 DEBUG QVeFnAMU 672d43bb {req-165}
org.apache.directory.ldap.client.api.LdapNetworkConnection -
MSG_04104_SENDING_REQUEST (MessageType : BIND_REQUEST
Message ID : 22
    BindRequest
        Version : '3'
        Name : 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net'
        Simple authentication : '(omitted-for-safety)'
)
2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165}
org.apache.directory.ldap.client.api.LdapNetworkConnection -
MSG_04106_ADDING
(22,org.apache.directory.ldap.client.api.future.BindFuture)
2021-05-05T15:31:15:782+0200 DEBUG QVeFnAMU 672d43bb {req-165}
org.apache.directory.api.CODEC_LOG - MSG_14003_ENCODED_LDAP_MESSAGE
(MessageType : BIND_REQUEST
Message ID : 22
    BindRequest
        Version : '3'
        Name : 'CN=VFIT-LDAP-Bind,OU=Users,OU=Got,OU=THE_OU,DC=our-domain,DC=net'
        Simple authentication : '(omitted-for-safety)'

```
/ Joacim

---------------------------------------------------------------------
To unsubscribe, e-mail: api-unsubscribe@directory.apache.org
For additional commands, e-mail: api-help@directory.apache.org


Mime
View raw message