I'm trying to determine via InvalidAttributeValueException instance, what was the cause for the LDAP error code 19 (password policy error) so I will be able to display an informative error message in the UI.
The current LDAP service I'm using is openLDAP (as an embedded LDAP in the application) and it provides a pretty informative message that was good enough to display (i.e. "[LDAP: error code 19 - Password fails quality checking policy]" & "[LDAP: error code 19 - Password is in history of old passwords]")
But now I want to support Active Directory & other LDAP providers (that will be external), and from what I've seen in rfc2251 and various other sources - every implementation puts it's own exception message and the only standard thing is the error code 19 mapping to InvalidAttributeValueException and not to a specific issue.
Is there a solution (even a partial one) for differentiating between the different causes of an error code 19?
Is there a way, given an InvalidAttributeValueException instance, to query the LDAP for an answer to that question?
Thanks
My comments above apply to the generic LDAP API, but I had forgotten something major. You need to investigate the request and response controls specified in https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10. This does work in OpenLDAP but I can't say whether it is supported by Active Directory. I have Java JNDI code that supports it which you are welcome to. The PasswordPolicyResponseControl can return the following:
/** Warning codes. */
public enum Warning
{
/** Password expiration warning.*/
timeBeforeExpiration,
/** Grace logins warning.*/
graceAuthNsRemaining,
none;
}
/** Error codes. */
public enum Error
{
/** The password has expired.*/
passwordExpired,
/**
* The account has been locked, either by an administrator
* or as a result of too many failed login attempts.
*/
accountLocked,
/**
* The password has been reset by an administrator and must be changed immediately.
*/
changeAfterReset,
/**
* The password policy does not permit the user to change his password.
*/
passwordModNotAllowed,
/**
* The password policy requires the old password to be supplied
* when changing passwords.
* This indicates a programming error in the client.
*/
mustSupplyOldPassword,
/**
* The new password has failed the quality check.
*/
insufficientPasswordQuality,
/**
* The new password is too short.
*/
passwordTooShort,
/**
* The current password is too new to change yet.
*/
passwordTooYoung,
/**
* The password policy specifies keeping a password history
* and the new password is already in it.
*/
passwordInHistory,
/**
* Error parsing the response control.
* This indicates a programming error either in this
* class or in the LDAP server.
*/
unparseableResponseControl,
/**
* No additional information.
* This can be seen e.g. when the user simply logs
* in with the wrong password.
*/
none;
};