LDAP Error Code Messaging

Lille M lillemacdoe at gmail.com
Tue Nov 6 15:20:39 EST 2018 

Thank you Daniel and Scott.

I have inserted into  'ldap-authn-config.xml' and
'password-authn-config.xml' the entries below --- however, still
receiving 'Login
Failure: javax.naming.OperationNotSupportedException: [LDAP: error code 53
- Account inactivated. Contact system administrator.] ' messaging --- the
logs are at end of email. Have I missed anything -- it would seem
resultCode is '*UNWILLING_TO_PERFORM*' --- and that would trigger the
'AccountLocked' flow.

ldap-authn-config.xml
<bean id="authenticationResponseHandler"
class="org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler" >
         <constructor-arg value="0" />
         <constructor-arg value="0" />
         <constructor-arg value="0" />
       </bean>

password-authn-config.xml
<entry key="AccountLocked">
            <list>
                <value>AccountLocked</value>
                <value>UNWILLING_TO_PERFORM</value>
                <value>UNAVAILABLE_CRITICAL_EXTENSION</value>
                <value>ACCOUNT_DISABLED</value>
                <value>Clients credentials have been revoked</value>
            </list>
        </entry>

2018-11-06 12:11:28,137 - DEBUG
[org.ldaptive.auth.PooledBindAuthenticationHandler:86] -
[BDFE57022A7C35D88ADBDBD0A094E5D2] - [127.0.0.1] - authenticate
response=[org.ldaptive.auth.AuthenticationHandlerResponse at 5467434
::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 209642554
::config=[org.ldaptive.ConnectionConfig at 16737856::ldapUrl=ldaps://
example.com , connectTimeout=10000, responseTimeout=10000,
sslConfig=[org.ldaptive.ssl.SslConfig at 1145576216::credentialConfig=null,
trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=false, useStartTLS=false,
connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1669487719
::metadata=[ldapUrl=ldaps://example.com, count=1],
environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
com.sun.jndi.ldap.connect.timeout=10000, java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.read.timeout=10000},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1413643593::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 69ddedf6,
controlProcessor=org.ldaptive.provider.ControlProcessor at 3101afb8,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 2e7f7327],
result=false, resultCode=*UNWILLING_TO_PERFORM*,
message=javax.naming.OperationNotSupportedException: [LDAP: error code 53 -
Account inactivated. Contact system administrator.], controls=null] for
criteria=[org.ldaptive.auth.AuthenticationCriteria at 1465948621::dn=uid=lisa,dc=example,dc=com,
authenticationRequest=[org.ldaptive.auth.AuthenticationRequest at 850653990
::user=[org.ldaptive.auth.User at 1673580225::identifier=lisa,
context=org.apache.velocity.VelocityContext at 63271a4], retAttrs=[1.1],
controls=null]]

On Mon, Nov 5, 2018 at 8:26 PM Daniel Fisher <dfisher at vt.edu> wrote:

> On Mon, Nov 5, 2018 at 4:26 PM Lille M <lillemacdoe at gmail.com> wrote:
>
>> org.ldaptive.LdapException: javax.naming.OperationNotSupportedException:
>> [LDAP: error code 53 - Account inactivated. Contact system administrator.]
>>     at
>> net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP.doExecute(ValidateUsernamePasswordAgainstLDAP.java:187)
>>
>
> You need to configure a response handler to produce an account state.
> Ldaptive doesn't ship with one specific to 389 directory server, but it
> does have one for FreeIPA which I believe is based on 389.
> Add to ldap-authn-config.xml:
> <bean id="authenticationResponseHandler"
> class="org.ldaptive.auth.ext.FreeIPAAuthenticationResponseHandler" >
> <constructor-arg value="0" /><constructor-arg value="0" /><constructor-arg
> value="0" /></bean>
>
> (I left the constructor args at zero assuming you're not interested in
> configuring account states for successful authentication.)
> If the response handler works you should be able to match on
> ACCOUNT_DISABLED.
>
> --Daniel Fisher
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181106/f273d829/attachment.html>

More information about the users mailing list