Overview#

As with most LDAP Server Implementations, EDirectory provides some extended LDAP Result Codes that can help you determine more specific reasons for Authentication Failures.

EDirectory LDAP Result Codes sub-codes for Authentication Failures:#

LDAP CodeHEXDECShort DescriptionMore InformationComments
49FFFFFD63-669LDAP_NO_SUCH_OBJECTReturns when DN or password/credential is invalid.No password Policy, Account Restrictions or Time Restrictions are set. Rather, this details the results when the user has actually typed the wrong password or DN (In eDirectory 8.8 SP1, a security enhancement was made when an invalid user does a Ldap bind. The return code for an invalid user now returns -669, instead of -601.
49FFFFFD63-669ERROR_LOGON_FAILUREReturns when DN or password/credential is invalid.No password Policy, Account Restrictions or Time Restrictions are set. Rather, this details the results when the user has actually typed the wrong password or DN
0FFFFFF21-223ERROR_PASSWORD_EXPIREDPassword Expiration: Password expired with Grace Logins remaining - ERROR_PASSWORD_EXPIREDThe administrator has set "Force Password Changes" and the user's password has expired. The number of grace logins has been limited, but some are still remaining.NOTE: this is a special case. The authentication is still successful since the bind operation can use one of the Grace Logins
49FFFFFF22-222ERROR_PASSWORD_EXPIREDPassword Expiration: ERROR_PASSWORD_EXPIREDPassword expired with no more Grace Logins
53FFFFFF24-220ERROR_ACCOUNT_DISABLEDAdministratively DisabledNOTE: Returns only when presented with valid username and password/credential.
53FFFFFF24-220ERROR_ACCOUNT_DISABLEDAccount Restriction: LoginExpirationTime has been exceededNOTE: Returns only when presented with valid username and password/credential.
53FFFFFF26-218ERROR_INVALID_LOGON_HOURSTime Restriction:Entry logon time restriction violation The administrator has setup login Time Restrictions for the user, and she is attempting to authenticate outside of the allowed time.
53FFFFFF27 -217MAXIMUM_LOGINS_EXCEEDEDAccount Restriction: Concurrent Connections ExceededAn attempt was made to log in using an account that has limits on the number of concurrent connections (LoginMaximumSimultaneous), and that number has been reached.
0FFFFFF25-219ERROR_INVALID_WORKSTATIONDevice Restriction: Network Addresses LimitedAn attempt to log in was made from an unauthorized station using an account with limits to a specific network and or station. (Note: this restriction is NOT currently enforced through LDAP. The user will be able to authenticate successfully.)
53FFFFFF3B-197ERROR_ACCOUNT_LOCKED_OUTIntruder Detection:The account is locked, as the intruder detection limits have been exceeded.NOTE: Returns even if invalid password is presented

Setup Used for These Tests#

In addition to creating the test accounts, the following also needs to be done:
  • The password policy must be setup and assigned to the users. (or the o=test container)
  • The o=test container must be setup to "detect intruders".
# LDIF of locked accounts
# ldapsearch  -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isDisabled,o=test,dc=com -w novell "(cn=*)"
# ldapsearch  -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w novell "(cn=*)"
version: 1

# isACTIVE,people,willeke,com
dn: uid=isACTIVE,o=test,dc=com
uid: isACTIVE
givenName: IS
sn: ACTIVE
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
userpassword: novell
cn: isACTIVE

# isDisabled,people,willeke,com
dn: uid=isDisabled,o=test,dc=com
employeeType: E
employeeStatus: A
uid: isDisabled
givenName: is
sn: Disabled
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
loginDisabled: TRUE
userpassword: novell
cn: isDisabled

# isINTRUDER,people,willeke,com
dn: uid=isINTRUDER,o=test,dc=com
uid: isINTRUDER
givenName: is
lockedByIntruder: TRUE
sn: INTRUDER
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
loginIntruderResetTime: 20090323114029Z
description: This account is Locked by too Many invlaid login attempts until 2009. Used for Testing.
userpassword: novell
cn: isINTRUDER

# isPWDExpired,people,willeke,com
dn: uid=isPWDExpired,o=test,dc=com
uid: isPWDExpired
givenName: IS
sn: PWDExpired
passwordExpirationTime: 20070102000000Z
passwordExpirationInterval: 4838400
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
userpassword: novell
cn: isPWDExpired

### END OF FILE

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-46) was last changed on 03-Oct-2016 12:14 by jim