From users-return-4278-apmail-directory-users-archive=directory.apache.org@directory.apache.org Thu Nov 10 21:37:43 2011 Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3C7F19AC7 for ; Thu, 10 Nov 2011 21:37:43 +0000 (UTC) Received: (qmail 42060 invoked by uid 500); 10 Nov 2011 21:37:43 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 42030 invoked by uid 500); 10 Nov 2011 21:37:43 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 42017 invoked by uid 99); 10 Nov 2011 21:37:43 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Nov 2011 21:37:43 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dfisher@vt.edu designates 198.82.162.213 as permitted sender) Received: from [198.82.162.213] (HELO lennier.cc.vt.edu) (198.82.162.213) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Nov 2011 21:37:36 +0000 Received: from zidane.cc.vt.edu (zidane.cc.vt.edu [198.82.163.227]) by lennier.cc.vt.edu (8.13.8/8.13.8) with ESMTP id pAALbEZ7011990 for ; Thu, 10 Nov 2011 16:37:14 -0500 Received: from mail-fx0-f52.google.com (EHLO mail-fx0-f52.google.com) ([209.85.161.52]) by zidane.cc.vt.edu (MOS 4.2.2-FCS FastPath queued) with ESMTP id RDS38715; Thu, 10 Nov 2011 16:37:13 -0500 (EST) Received: by mail-fx0-f52.google.com with SMTP id n26so3587664faa.25 for ; Thu, 10 Nov 2011 13:37:12 -0800 (PST) MIME-Version: 1.0 Received: by 10.182.115.5 with SMTP id jk5mr2267435obb.6.1320961032566; Thu, 10 Nov 2011 13:37:12 -0800 (PST) Received: by 10.182.192.6 with HTTP; Thu, 10 Nov 2011 13:37:12 -0800 (PST) In-Reply-To: <2BE7E81B77921F43A6A273C2DF2FA6A43A625A57E6@IBSMBX.ibs-ag.com> References: <2BE7E81B77921F43A6A273C2DF2FA6A43A625A577B@IBSMBX.ibs-ag.com> <2BE7E81B77921F43A6A273C2DF2FA6A43A625A57E6@IBSMBX.ibs-ag.com> Date: Thu, 10 Nov 2011 16:37:12 -0500 Message-ID: Subject: Re: ApacheDS differentiating Authentication Exceptions From: Daniel Fisher To: users@directory.apache.org Content-Type: multipart/alternative; boundary=f46d044518231bb8ec04b1683599 X-Mirapoint-Received-SPF: 209.85.161.52 mail-fx0-f52.google.com dfisher@vt.edu 4 softfail X-Junkmail-Status: score=10/50, host=zidane.cc.vt.edu X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A020203.4EBC440A.0078,ss=1,fgs=0, ip=0.0.0.0, so=2010-07-22 22:03:31, dmn=2009-09-10 00:05:08, mode=single engine X-Junkmail-IWF: false --f46d044518231bb8ec04b1683599 Content-Type: text/plain; charset=ISO-8859-1 Something like this should work: Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory";); env.put("java.naming.ldap.version", "3"); env.put(Context.PROVIDER_URL,this.strBaseLdapUrl); LdapContext ctx = new InitialLdapContext(env, null); ctx.addToEnvironment(Context.SECURITY_AUTHENTICATION, "simple"); ctx.addToEnvironment(Context.SECURITY_PRINCIPAL,strDn); ctx.addToEnvironment(Context.SECURITY_CREDENTIALS,strPass); try { ctx.reconnect(ctrls); } catch (NamingException e) { ctx.getResponseControls(); } --Daniel Fisher On Thu, Nov 10, 2011 at 1:10 PM, wrote: > Hi Thanks for the suggestion.. I looked at .reconnect(Control[]) but my > LdapContext both cases I mention is null. > > This is how I'm attempting to log in a user > > Hashtable env=new Hashtable(); > > env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory";); > env.put(Context.PROVIDER_URL,this.strBaseLdapUrl); > env.put(Context.SECURITY_PRINCIPAL,strDn); // user trying to login > (DN here) > env.put(Context.SECURITY_CREDENTIALS,strPass); // incorrect password > env.put(Context.SECURITY_AUTHENTICATION, "simple"); > env.put(LdapContext.CONTROL_FACTORIES, "com.my.pwfactory"); > > LdapContext ctx = new InitialLdapContext(env,ctrls); > > When the authentication exception is thrown, ctx is null so there are no > response controls to be had. > Is there a more accepted way to validate users? I don't allow anonymous > binds. Thanks. > > -----Original Message----- > From: Daniel Fisher [mailto:dfisher@vt.edu] > Sent: Thursday, November 10, 2011 11:32 AM > To: users@directory.apache.org > Subject: Re: ApacheDS differentiating Authentication Exceptions > > Try performing your bind with LdapContext#reconnect instead, the response > controls should be available to you then. > (At least that works with OpenLDAP.) > > --Daniel Fisher > > On Thu, Nov 10, 2011 at 10:55 AM, wrote: > > > Hi, Another question around failed login attempts. > > > > We bind like this. With the env containing the user, pass and all > > other props. > > > > LdapContext ctx = new InitialLdapContext(env,ctrls); > > > > When the user supplies either an incorrect password or the account is > > locked, a javax.naming.AuthenticationException is thrown. > > > > And the resulting ctx is null, so there are no Response Controls > > available in these cases. > > > > In both failure modes the stack traces are identical except for the > > value of ex.getMessage(). > > > > [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: ERR_229 > > Cannot authenticate user uid=xyz,o=corp] > > [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: account was > > permanently locked] > > > > Other than comparing the strings above, is there another way to > > determine which event occurred? > > > > We're running 2.0.0-M4-SNAPSHOT from the trunk. > > Thank you. > > > --f46d044518231bb8ec04b1683599--