Active Directory Error Codes

[Hari]

Hi all,

I am using the JAAS framework to authenticate users on
Active Directory Service (using LDAP).
If the user credentials are wrong we normally get the LDAP
error code 49: LDAP_INVALID_CREDENTIALS.
But this errors are also thrown even if, for a user the
password has expired or the user account is disabled.

I needed to show to the user specific messages like
his/her bind with the Active Directory failed because for
specific reasons like "PASSWORD EXPIRED","ACCOUNT
DISABLED".

So how do i track whether the user connection failed for
so & so specific reason.

Does Active Directory provide any Error Codes with LDAP
(which can track the exact reasons for failure)

Regards,
Hari

 

[Hari]

Hi,

Well can it be done this way that before actually binding
(ie when we do a search) with the UserDN and p/w we can
retrieve the attributes and show it to user. But i dont
think we have an attribute which
specifies "PasswordExpired" or "PasswordExpiresOn".
i am aware of the following attributes like:
objectClass,objectGUID,uSNCreated..etc

Also how can we set these attributes so that one can
retrieve the values..

So if we get any info from the attributes
like "PasswordExpired" then actually before binding we can
give the required message to the user.
If the binding fails due to the error mentioned in the
prev post then we can safely assume that it has failed due
to the WRONG p/w provided by the user (and not password
expired).

Does this approach seems good? Also does AD provide any
such types of attributes mentioned above (i didnt find
any).

Please Advice,

Thanx in advance,

Regards,
Hari