directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <Carlo.Acco...@ibs-ag.com>
Subject RE: ApacheDS differentiating Authentication Exceptions
Date Tue, 15 Nov 2011 18:11:34 GMT
Ok, when I try and bind with an expired password and all grace logins are spent, this exception
is thrown:

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS:
Bind failed: paasword expired and max grace logins were used]


And in the LdapContext. getResponseControls()  encodedValue there  is  this small byte array:

 [48, 3, -127, 1, 0]

Does anyone know how to interpret or decode this? 
I've seen examples of ASN.1 and BER decoders. 
I'm looking for the simplest example please. 

Thank you, Carlo Accorsi

-----Original Message-----
From: Daniel Fisher [mailto:dfisher@vt.edu] 
Sent: Thursday, November 10, 2011 4:37 PM
To: users@directory.apache.org
Subject: Re: ApacheDS differentiating Authentication Exceptions

Something like this should work:

Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory";);
env.put("java.naming.ldap.version", "3"); env.put(Context.PROVIDER_URL,this.strBaseLdapUrl);
LdapContext ctx = new InitialLdapContext(env, null);

ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); ctx.addToEnvironment(Context.SECURITY_PRINCIPAL,strDn);
ctx.addToEnvironment(Context.SECURITY_CREDENTIALS,strPass);
try {
  ctx.reconnect(ctrls);
} catch (NamingException e) {
  ctx.getResponseControls();
}

--Daniel Fisher

On Thu, Nov 10, 2011 at 1:10 PM, <Carlo.Accorsi@ibs-ag.com> wrote:

> Hi Thanks for the suggestion.. I looked at .reconnect(Control[])  but 
> my LdapContext  both cases I mention is null.
>
> This is how I'm attempting to log in a user
>
>        Hashtable env=new Hashtable();
>
>  env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory";);
>        env.put(Context.PROVIDER_URL,this.strBaseLdapUrl);
>        env.put(Context.SECURITY_PRINCIPAL,strDn); // user trying to 
> login (DN here)
>        env.put(Context.SECURITY_CREDENTIALS,strPass); // incorrect password
>        env.put(Context.SECURITY_AUTHENTICATION, "simple");
>        env.put(LdapContext.CONTROL_FACTORIES, "com.my.pwfactory");
>
>        LdapContext ctx = new InitialLdapContext(env,ctrls);
>
> When the authentication exception is thrown,  ctx is null so there are 
> no response controls to be had.
> Is there a more accepted way to validate users? I don't allow 
> anonymous binds. Thanks.
>
> -----Original Message-----
> From: Daniel Fisher [mailto:dfisher@vt.edu]
> Sent: Thursday, November 10, 2011 11:32 AM
> To: users@directory.apache.org
> Subject: Re: ApacheDS differentiating Authentication Exceptions
>
> Try performing your bind with LdapContext#reconnect instead, the 
> response controls should be available to you then.
> (At least that works with OpenLDAP.)
>
> --Daniel Fisher
>
> On Thu, Nov 10, 2011 at 10:55 AM, <Carlo.Accorsi@ibs-ag.com> wrote:
>
> > Hi, Another question around failed login attempts.
> >
> > We bind like this. With the env containing the user, pass and all 
> > other props.
> >
> > LdapContext ctx = new InitialLdapContext(env,ctrls);
> >
> > When the user supplies either an incorrect password or the account 
> > is locked, a javax.naming.AuthenticationException is thrown.
> >
> > And the resulting ctx is null, so there are no Response Controls 
> > available in these cases.
> >
> > In both failure modes the stack traces are identical except for the 
> > value of ex.getMessage().
> >
> > [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 
> > Cannot authenticate user uid=xyz,o=corp]
> > [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: account was 
> > permanently locked]
> >
> > Other than comparing the strings above, is there another way to 
> > determine which event occurred?
> >
> > We're running 2.0.0-M4-SNAPSHOT from the trunk.
> > Thank you.
> >
>

Mime
View raw message