Error Codes from LDAP / Microsoft Active Directory authentication

Yusuf Tran Yusuf.Tran at kaplan.com
Tue May 21 10:25:20 EDT 2013 

Thank you so much for the prompt reply Kevin, got it working :)

Incase anyone googles for this in the future

In the login page add 

<%@ page import="edu.internet2.middleware.shibboleth.idp.authn.LoginHandler" %>

	<% if (request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY) != null) {
                                String loginMsg = ((Exception)request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY)).getMessage().trim();
                                String niceMsg = "";
 
                                if(loginMsg.contains("52e")) {
                                  niceMsg = "Invalid username or password";
                                }
                                else if(loginMsg.contains("532")) {
                                  niceMsg = "Password has expired";
                                }
								else if(loginMsg.contains("701")) {
                                  niceMsg = "Account has expired";
                                }
                                else if(loginMsg.contains("533")) {
                                  niceMsg = "Account is disabled";
                                }
                                else if(loginMsg.contains("775")) {
                                  niceMsg = "Account is locked";
                                }
                                else {
                                  niceMsg = "An unknown authentication error occured";
                                }
                      %>

Replace niceMsg with whatever instructions you want to display

Regards
Yusuf



-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Kevin P. Foote
Sent: 21 May 2013 15:10
To: Shib Users
Subject: Re: Error Codes from LDAP / Microsoft Active Directory authentication



On Tue, 21 May 2013, Yusuf Tran wrote:

> The goal is to give students specific directions on the IDP login page based on the error codes.

You can do this by fielding the sub error code that MSAD sends along with the Ldap Error 49

In my IdP I bubble the error code back up to the js level and field it there.. I'm sure you can do it earlier in the servlet or IdP but js was easy to see / do.

Here are some MS sub codes.. that ride along with the Ldap Error 49 when using the vt-ldap module..


(775) account locked

(701) account expired

(532) password expired

(52e) invalid credentials

(533) account disabled


HTH.. let me know if you need more.

------
thanks
  kevin.foote

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list