ruby-net-ldap icon indicating copy to clipboard operation
ruby-net-ldap copied to clipboard

Published 20 hours ago verified publisher icon ruby-ldap

Expired Password Status Code

Open cjbush opened this issue 10 years ago • 2 comments

If I have a user "Bob" whose account is brand new in LDAP, and I give him a temporary password of "Password123", when he tries to log in the result code is ResultCodeInvalidCredentials. This makes it virtually impossible to change his password, as a typical password changing dialog would have something along the lines of:

Username: Password: New Password: Confirmation:

In order to validate that Bob is entering his current, temporary password correctly, there should really be a new result status such as ResultCodeExpiredPassword or ResultCodeUserMustChangePassword so that a script can determine whether it's an actual authentication issue or just the issue of his expired password. It looks as though there is a data code associated with code 49 that provides more detail as to why the authentication failed. For example, a failed login due to an expired password is really a 49/532. http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes

cjbush avatar Jan 30 '15 03:01 cjbush

@cjbush what directory are you using? The library does support error code 49/532, but the directory has to return it.

jch avatar Jan 30 '15 22:01 jch

Sorry to resurrect a really old thread, but I'm having this issue as well and can't work out a way to differentiate between expired credentials and purely invalid credentials, without manually parsing the error_message attribute of #get_operation_result?

i.e.

[...]
ldap.bind
result = ldap.get_operation_result
password_has_expired = result.error_message.match(/AcceptSecurityContext error, data 532/i).length > 0

When authenticating with valid, expired credentials, the response code is simply 49. Should this be something like 49/532, instead?

(byebug) ldap.get_operation_result
#<OpenStruct extended_response=nil, code=49, error_message="80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 532, v2580\u0000", matched_dn="", message="Invalid Credentials">

If there should be a way to differentiate between the different scenarios (where error code 49 is returned), but isn't, would you be open to accepting a PR to add this extra verbosity?

Thanks heaps!

xtrasimplicity avatar Jun 26 '19 05:06 xtrasimplicity