LDAP Error Code Messaging

Cantor, Scott cantor.2 at osu.edu
Mon Nov 5 20:59:19 EST 2018

On 11/5/18, 7:05 PM, "users on behalf of Lille M" <users-bounces at shibboleth.net on behalf of lillemacdoe at gmail.com> wrote:

> I turned on ldap debug logging.

That may be of interest, but that's not what it's mapping against so that's the root of your problem.

> However, still receiving following message: 

I don't use the LDAP feature, I use JAAS (with both Kerberos and LDAP in series) so I only know how it behaves when it reports errors, it always throws a LoginException that contains a formatted message and that’s all I've ever had to map against.

My reading of the LDAP code suggests it doesn't explicitly log what comes back in most cases. That seems like a bug, or at least unfortunate. It seems to pull out various low level data, LDAP response codes and the like, and builds strings based on that depending on the response. My take would be you have to read that code [1] to know what might get returned and how to map anything from it. That's what I would have to do in that situation.

If you're not prepared to do that, you're probably back to "does anybody else use that exact directory?" and already happens to know the answer. With JAAS, you check the log and that’s pretty much that. Less powerful but a lot simpler.

-- Scott

[1] https://git.shibboleth.net/view/?p=java-identity-provider.git;a=blob;f=idp-authn-impl/src/main/java/net/shibboleth/idp/authn/impl/ValidateUsernamePasswordAgainstLDAP.java;h=cbae93b348b7ddbe41ccc8c309866aa38e1cd4cc;hb=eeeaad5804b5de7091b187cb5bb94a53f386fa4c

More information about the users mailing list