What Expects If Account Get Locked Out -- AD

Subject: What Expects If Account Get Locked Out -- AD
Author: eLDAP
In response to: What Expects If Account Get Locked Out -- SunOne
Posted on: 01/02/2007 03:27:01 PM

Here is what you would probably receive from Active Directory Server if your account gets locked out there.

javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'cn=lockout user,cn=users'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2695)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2601)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2411)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1586)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1509)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:371)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:331)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:316)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241)

Actually, the above error message is due to insufficient rights (being treated as anonymous user) for search operation. The bind operation or authentication was SUCCEEDED! This is a bug in AD 2003. To investigate it deeper, you can use LDP.exe which can separate bind (authentication) from search (authorization). You can suprisely authenticate a disabled account (userAccountControl=514), that's definitely a security hole.

Be careful AD 2003, if you use it to authenticate a disabled account!

>
> On 01/02/2007 03:20:18 PM eLDAP wrote:

Here is what you would probably receive from SunOne Directory Server if your account gets locked out there.

javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Exceed password retry limit. Please try later.]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2668)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2601)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2406)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2323)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:79)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:668)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:246)
at javax.naming.InitialContext.init(InitialContext.java:222)
at javax.naming.InitialContext.<init>(InitialContext.java:198)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:83)

References:

Next Post: What's extensibleObject used for? eLDAP 01/30/2007 08:46:52 PM
Previous Post: What Expects If Account Get Locked Out -- SunOne eLDAP 01/02/2007 03:20:18 PM
Next Topic: What's extensibleObject used for? eLDAP 01/30/2007 08:46:52 PM
Previous Topic: LDAP ModifyRDN Operation eLDAP 12/04/2006 07:03:04 PM
Index: by Date
Index: by Topic