LDAP Error Code Messaging

Lille M lillemacdoe at gmail.com
Mon Nov 5 19:05:32 EST 2018 

Thank you!

I turned on ldap debug logging.

2018-11-05 15:55:31,908 - DEBUG
[org.ldaptive.provider.jndi.NamingExceptionUtils:358] -
[6F22B93098FE921E1EC3B8DDFC18D1EB] - [127.0.0.1] - naming exception class
javax.naming.OperationNotSupportedException is ambiguous, maps to multiple
result codes: [UNAVAILABLE_CRITICAL_EXTENSION, UNWILLING_TO_PERFORM]

In 'password-authn-config.xml', updated:

<entry key="AccountLocked">
            <list>
                <value>AccountLocked</value>
                <value>UNWILLING_TO_PERFORM</value>
                <value>UNAVAILABLE_CRITICAL_EXTENSION</value>
                <value>Clients credentials have been revoked</value>
            </list>
        </entry>

However, still receiving following message: Login Failure:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - Account
inactivated. Contact system administrator.]

Could this be due to the 'naming exception class
javax.naming.OperationNotSupportedException is ambiguous,'?

On Mon, Nov 5, 2018 at 1:26 PM Cantor, Scott <cantor.2 at osu.edu> wrote:

> > We want to replace it to 'Account is Inactivated. Contact Help Desk at
> > www.foodbar.com <http://www.foodbar.com> '.  Is there a pre-existing
> flow
> > that is generating above message, and I can subjugate to new message?
>
> The defaults are:
>
> The shibboleth.authn.Password.ClassifiedMessageMap bean translates LDAP
> error string into classified event.
>
> The views/login-error.vm file has examples for extracting a classified
> event if it exists and turning it into a user message:
>
>     #set ($eventId =
> $authenticationErrorContext.getClassifiedErrors().iterator().next())
>     #set ($eventKey = $springMacroRequestContext.getMessage("$eventId",
> "login"))
>     #set ($message =
> $springMacroRequestContext.getMessage("${eventKey}.message", "Login
> Failure: $eventId"))
>
> All the default messages are in system/messages/messages.properties and
> are overrideable in messages/messages.properties.
>
> If a message maps to AccountLocked, the default message is " Your account
> is locked." and that's what gets displayed. If it's not being displayed,
> you just didn't map the relevant LDAP error message or a subset of it to
> the AccountLocked event name in the message maps that I'm talking about.
> And if you want to change the message, look at the system message file and
> override the message property you want to replace in your own message file.
>
> In practice it's a couple of simple additions to two files and restart.
>
> -- Scott
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181105/66385a62/attachment.html>

More information about the users mailing list