directory-api mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From 4 Integration <4integrat...@gmail.com>
Subject Re: Force password change on next login with Active Directory
Date Wed, 19 May 2021 10:26:29 GMT
Hi again,

I noted that when using LdapConnectionTemplate and authenticate(...) it
doesn't return any useful error codes in the exception and no
PasswordWarning.
Shouldn't this scenario return a PasswordWarning?
https://nightlies.apache.org/directory/api/2.0.1/apidocs/org/apache/directory/ldap/client/template/PasswordWarning.html

If I use:
LdapNetworkConnection and connection.bind(...) it returns an LdapException with
message
80090308: LdapErr: DSID-0C090453, comment: AcceptSecurityContext error,
data 773, v3839
where 773 is what is expected.

It feels like LdapConnectionTemplate has a (few) bug(s).

Regards
Joacim



On Tue, May 18, 2021 at 11:03 AM 4 Integration <4integration@gmail.com>
wrote:

> Hi again,
>
> I have had a discussion with our vendor but they have difficulties to
> determine the underlying root cause more than error 49
> (INVALID_CREDENTIALS). I made a simple Java application to test this and
> cannot find anything more when debugging the PasswordException.
> Do you have any guidance what to look for?
>
> My authentication method:
>
> ```
>  public void authenticate(String uid, String password) {
> String status = "";
> try {
> LdapConnectionConfig config = new LdapConnectionConfig();
> config.setUseSsl(true);
> config.setLdapHost("activedirectory.domain.net");
> config.setLdapPort(636);
> config.setTrustManagers(new NoVerificationTrustManager());
> config.setName(_ldapMgmtUser);
> config.setCredentials(_ldapMgmtPassword);
>
> final DefaultPoolableLdapConnectionFactory factory = new
> DefaultPoolableLdapConnectionFactory(config);
> final LdapConnectionPool pool = new LdapConnectionPool(factory);
> pool.setTestOnBorrow(true);
> final LdapConnectionTemplate ldapConnectionTemplate = new
> LdapConnectionTemplate(pool);
>
> final PasswordWarning warning =
> ldapConnectionTemplate.authenticate(_rootDn, "(sAMAccountName=" + uid + ")",
> SearchScope.SUBTREE, password.toCharArray());
>
> status = "User credentials authenticated";
> if (warning != null) {
> status = status + " \n Warning!!" + warning.toString();
> }
> System.out.println(status);
> } catch (final PasswordException e) {
> System.err.println("############# PasswordException #############");
> status = e.toString();
> e.printStackTrace();
> } catch (Exception e) {
> System.err.println("############# Exception #############");
> e.printStackTrace();
>
> } finally {
> }
> return;
> }
>
> ```
>
> Regards
> Joacim
>
>
>
>
> On Thu, May 6, 2021 at 3:31 PM Emmanuel Lécharny <elecharny@gmail.com>
> wrote:
>
>>
>>
>> On 06/05/2021 14:08, 4 Integration wrote:
>> > @Emmanuel, sure I have a dialogue with them as well but since I know
>> > they use Apache Directory LDAP API and (most) the debug logs are from
>> > `org.apache.directory` trying to understand the behavior of LDAP API
>> > interacting with Active Directory.
>> > I would expect many other users of LDAP API facing the same issue with
>> > AD flag pwdLastSet=0 and if anyone have a solution for it.
>> >
>> > Checked the LDAP API source and it says:
>> >
>> >      /**
>> >       * This error code is returned if the Dn or password used in a
>> simple bind
>> >       * operation is incorrect, or if the Dn or password is incorrect
>> for some
>> >       * other reason, e.g. the password has expired. This result code
>> only
>> >       * applies to Bind operations -- it should not be returned for
>> other
>> >       * operations if the client does not have sufficient permission to
>> perform
>> >       * the requested operation - in this case the return code should be
>> >       * insufficientAccessRights. Applicable operations: Bind. Result
>> code type:
>> >       * Specific (Security)
>> >       */
>> >      INVALID_CREDENTIALS(49, "invalidCredentials"),
>> >
>> > Since the user with `pwdLastSet=0` and have a
>> > "single-password-to-use-to-change-password", I get the feeling of
>> > INVALID_CREDENTIALS not being the correct error code.
>>
>> Any error for a user trying to bind will be treated as a
>> INVALID_CREDENTIALS, to avoid providing any information that could help
>> a potential breach of security.
>>
>> When pwdLastSet is set to 0, the user is most likely to have to provide
>> a new password on login (typically for a new user).
>>
>> Your product should explicitely deal with such cases, checking the error
>> AD returns. Sadly, AD encapsulate the code into an error 49, so your
>> solution provider should deal with that.
>>
>> This is explained in this page:
>>
>> https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
>>
>> --
>> *Emmanuel Lécharny - CTO* 205 Promenade des Anglais – 06200 NICE
>> T. +33 (0)4 89 97 36 50
>> P. +33 (0)6 08 33 32 61
>> emmanuel.lecharny@busit.com https://www.busit.com/
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: api-unsubscribe@directory.apache.org
>> For additional commands, e-mail: api-help@directory.apache.org
>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message