1

I use UnboundID for the authentication against Active Directory. I have same error code when I authenticate with the wrong password and when the user is configured with “user must change password at next logon”. “wrong password” exception:

LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece

“user must change password at next logon” exception:

LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773, vece

The only difference is the value of word data in the exception message. I do not want to rely on the message. How to distinguish between “user must change password at next logon” and “wrong password” use cases?

Michael
  • 10,063
  • 18
  • 65
  • 104

1 Answers1

3

A quick look at this page:

http://ldapwiki.willeke.com/wiki/Common%20Active%20Directory%20Bind%20Errors

Shows that: data 52e = Returns when username is valid but password/credential is invalid.

data 773 = Entry's password must be changed before logging on LDAP pwdLastSet: value of 0 indicates admin-required password change - MUST_CHANGE_PASSWD

-jim

jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • Thanks for your answer (+1)! Do we have any RFC for sub-codes? Or it is vendor related? http://www.novell.com/coolsolutions/tip/18470.html Also, how is possible to get the sub-codes in the more conventional way? I do not want to parse the exception message. – Michael Jun 27 '13 at 06:15
  • It is all vendor specific. AFIK, you will have to parse if you want that information. If you find a better way, please advise. – jwilleke Jun 27 '13 at 17:20