directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emmanuel Lecharny <elecha...@gmail.com>
Subject Re: ApacheDS differentiating Authentication Exceptions
Date Tue, 15 Nov 2011 18:47:29 GMT
On 11/15/11 7:11 PM, Carlo.Accorsi@ibs-ag.com wrote:
> Ok, when I try and bind with an expired password and all grace logins are spent, this
exception is thrown:
>
> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENTIALS:
Bind failed: paasword expired and max grace logins were used]
>
>
> And in the LdapContext. getResponseControls()  encodedValue there  is  this small byte
array:
>
>   [48, 3, -127, 1, 0]
>
> Does anyone know how to interpret or decode this?
This stands for
0x30 0x03
   0x81 0x01 0x00

which means, when correlated with the ASN.1 grammar :

       PasswordPolicyResponseValue ::= SEQUENCE {
          warning [0] CHOICE {
             timeBeforeExpiration [0] INTEGER (0 .. maxInt),
             graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL,
          error   [1] ENUMERATED {
             passwordExpired             (0),
             accountLocked               (1),
             changeAfterReset            (2),
             passwordModNotAllowed       (3),
             mustSupplyOldPassword       (4),
             insufficientPasswordQuality (5),
             passwordTooShort            (6),
             passwordTooYoung            (7),
             passwordInHistory           (8) } OPTIONAL }

0x30 0x03 : SEQUENCE, 3 bytes length
0x81 : error [1] (would have been 0x80 for a warning)
0x01 : one byte length
0x00 : passwordExpired.

ASN1 can be fun, but only for people who like this part of Pulp Fiction 
: http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage


-- 
Regards,
Cordialement,
Emmanuel L├ęcharny
www.iktek.com


Mime
View raw message