go to  ForumEasy.com   
LdapPro  
 
 
   Home  |  MyForum  |  FAQ  |  Archive    You are not logged in. [Login] or [Register]  
Forum Home » Access Control List » UserAccountControl VS NsAccountLock
Email To Friend  |   Set Alert To This Topic Rewarding Points Availabe: 0 (What's this) New Topic  |   Post Reply
Author Topic: UserAccountControl VS NsAccountLock
eLDAP
member
offline   
 
posts: 107
joined: 08/02/2006
from: Austin, TX
  posted on: 12/28/2006 08:11:58 PM    Edit  |   Quote  |   Report 
UserAccountControl VS NsAccountLock
When accessing a user account for authentication or authorization, a special attribute is often checked first to determine the current status of the account: disabled or enabled. Such an attribute is either NsAccountLock used in Netscape iPlanet world or UserAccountControl used in Microsoft Active Directory (AD) world.

While NsAccountLock bears value of TRUE or FALSE, UserAccountControl has a variety of values made of flags, among which the two most commonly used flags are ACCOUNTDISABLE (0x0002 or 2) and NORMAL_ACCOUNT (0x0200 or 512). For a disabled account, the UserAccountControl normally bears the value of 514 or 0x0202 (0x0200 + 0x0002)

Take SunOne and AD for example, a typical normal account may look like

(SunOne)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
nsAccountLock: false
description: Active account - authentication and authorization may proceed.
sn: Smith
givenName: John


(AD)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 512
description: Active account - authentication and authorization may proceed.
sn: Smith
givenName: John


and a typical disabled account may look like

(SunOne)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
nsAccountLock: true
description: Inactive account - authentication or authorization may not proceed.
sn: Smith
givenName: John


(AD)
dn: cn=John Smith,cn=users,dc=mydomain,dc=com
cn: John Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userAccountControl: 514
description: Inactive account - authentication or authorization may not proceed.
sn: Smith
givenName: John


 Profile | Reply Points Earned: 0
eLDAP
member
offline   
 
posts: 107
joined: 08/02/2006
from: Austin, TX
  posted on: 01/02/2007 03:20:18 PM    Edit  |   Quote  |   Report 
What Expects If Account Get Locked Out -- SunOne
Here is what you would probably receive from SunOne Directory Server if your account gets locked out there.


javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - Exceed password retry limit. Please try later.]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2668)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2601)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2406)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2323)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:79)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:668)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:246)
at javax.naming.InitialContext.init(InitialContext.java:222)
at javax.naming.InitialContext.<init>(InitialContext.java:198)
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:83)

 Profile | Reply Points Earned: 0
eLDAP
member
offline   
 
posts: 107
joined: 08/02/2006
from: Austin, TX
  posted on: 01/02/2007 03:27:01 PM    Edit  |   Quote  |   Report 
What Expects If Account Get Locked Out -- AD
Here is what you would probably receive from Active Directory Server if your account gets locked out there.

javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name 'cn=lockout user,cn=users'
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2695)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2601)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2411)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1586)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1509)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:371)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:331)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:316)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:241)


Actually, the above error message is due to insufficient rights (being treated as anonymous user) for search operation. The bind operation or authentication was SUCCEEDED! This is a bug in AD 2003. To investigate it deeper, you can use LDP.exe which can separate bind (authentication) from search (authorization). You can suprisely authenticate a disabled account (userAccountControl=514), that's definitely a security hole.

Be careful AD 2003, if you use it to authenticate a disabled account!

 Profile | Reply Points Earned: 0

 
Powered by ForumEasy © 2003-2005, All Rights Reserved. | Privacy Policy | Terms of Use
 
Get your own forum today. It's easy and free.