What Expects If Account Get Locked Out -- SunOne

Subject: What Expects If Account Get Locked Out -- SunOne
Author: eLDAP
In response to: UserAccountControl VS NsAccountLock
Posted on: 01/02/2007 03:20:18 PM

Here is what you would probably receive from SunOne Directory Server if your account gets locked out there.

javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Exceed password retry limit. Please try later.]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2668)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2601)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2406)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2323)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:79)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:668)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:246)
at javax.naming.InitialContext.init(InitialContext.java:222)
at javax.naming.InitialContext.<init>(InitialContext.java:198)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:83)

>
> On 12/28/2006 08:11:58 PM eLDAP wrote:

When accessing a user account for authentication or authorization, a special attribute is often checked first to determine the current status of the account: disabled or enabled. Such an attribute is either NsAccountLock used in Netscape iPlanet world or UserAccountControl used in Microsoft Active Directory (AD) world.

While NsAccountLock bears value of TRUE or FALSE, UserAccountControl has a variety of values made of flags, among which the two most commonly used flags are ACCOUNTDISABLE (0x0002 or 2) and NORMAL_ACCOUNT (0x0200 or 512). For a disabled account, the UserAccountControl normally bears the value of 514 or 0x0202 (0x0200 + 0x0002)

Take SunOne and AD for example, a typical normal account may look like

(SunOne)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com cn: John Smith objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson nsAccountLock: false description: Active account - authentication and authorization may proceed. sn: Smith givenName: John

(AD)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com cn: John Smith objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 512 description: Active account - authentication and authorization may proceed. sn: Smith givenName: John

and a typical disabled account may look like

(SunOne)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com cn: John Smith objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson nsAccountLock: true description: Inactive account - authentication or authorization may not proceed. sn: Smith givenName: John

(AD)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com cn: John Smith objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user userAccountControl: 514 description: Inactive account - authentication or authorization may not proceed. sn: Smith givenName: John

References:

Next Post: What Expects If Account Get Locked Out -- AD eLDAP 01/02/2007 03:27:01 PM
Previous Post: UserAccountControl VS NsAccountLock eLDAP 12/28/2006 08:11:58 PM
Next Topic: What's extensibleObject used for? eLDAP 01/30/2007 08:46:52 PM
Previous Topic: LDAP ModifyRDN Operation eLDAP 12/04/2006 07:03:04 PM
Index: by Date
Index: by Topic