This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthor

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note

Page References

Incoming links Outgoing links
Common Edirectory Bind Errors
Common Edirectory Bind Errors

Version management

Difference between version and

At line 1 added 110 lines
!!! Overview
As with most [LDAP Server Implementations], [EDirectory] provides some extended [LDAP Result Codes] that can help you determine more specific reasons for [Authentication Failures].
!! [EDirectory] [LDAP] [Result Codes] sub-codes for [Bind Response]:
%%zebra-table
%%sortable
%%table-filter
||[LDAP Code|LDAP Result Codes]||[Hex]||[DEC]||Short Description||More Information|Comments
|[49|LDAP_INVALID_CREDENTIALS]|FFFFFD63|-669|[LDAP_NO_SUCH_OBJECT]|Returns when [DN] or [password]/[credential] is invalid.|No [password Policy], [Account Restrictions] or [Time Restrictions] are set. Rather, this details the results when the user has actually typed the wrong password or [DN] (In eDirectory 8.8 SP1, a security enhancement was made when an invalid user does a Ldap bind. The return code for an invalid user now returns -669, instead of -601.
|[49|LDAP_INVALID_CREDENTIALS]|FFFFFD63|-669|[ERROR_LOGON_FAILURE]|Returns when [DN] or [password]/[credential] is invalid.|No [password Policy], [Account Restrictions] or [Time Restrictions] are set. Rather, this details the results when the user has actually typed the wrong password or [DN]
|[0|LDAP_SUCCESS]|FFFFFF21|-223|[ERROR_PASSWORD_EXPIRED]|[Password Expiration]: Password expired with [Grace Logins] remaining - [ERROR_PASSWORD_EXPIRED]|The administrator has set "Force [Password Changes]" and the user's password has expired. The number of grace logins has been limited, but some are still remaining.NOTE: this is a special case. The [authentication] is still successful since the bind operation can use one of the [Grace Logins]
|[49|LDAP_INVALID_CREDENTIALS]|FFFFFF22|-222|[ERROR_PASSWORD_EXPIRED]|[Password Expiration]: [ERROR_PASSWORD_EXPIRED]|[Password] expired with no more [Grace Logins]
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF24|-220|[ERROR_ACCOUNT_DISABLED|ACCOUNTDISABLE]|[Administratively Disabled]|NOTE: Returns only when presented with valid [username] and [password]/[credential].
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF24|-220|[ERROR_ACCOUNT_DISABLED|ACCOUNTDISABLE]|[Account Restriction]: [LoginExpirationTime] has been exceeded|NOTE: Returns only when presented with valid [username] and [password]/[credential].
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF26|-218|[ERROR_INVALID_LOGON_HOURS]|[Time Restriction]:Entry logon time restriction violation| The administrator has setup login [Time Restrictions] for the user, and she is attempting to authenticate outside of the allowed time.
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF27 |-217|[MAXIMUM_LOGINS_EXCEEDED]|[Account Restriction]: [Concurrent Connections Exceeded|LoginMaximumSimultaneous]|An attempt was made to log in using an account that has limits on the number of concurrent connections ([LoginMaximumSimultaneous]), and that number has been reached.
|[0|LDAP_SUCCESS]|FFFFFF25|-219|[ERROR_INVALID_WORKSTATION]|[Device Restriction]: Network Addresses Limited|An attempt to log in was made from an unauthorized station using an account with limits to a specific network and or station. (Note: this restriction is __NOT__ currently enforced through [LDAP]. The user will be able to authenticate successfully.)
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF3B|-197|[ERROR_ACCOUNT_LOCKED_OUT]|[Intruder Detection]:The account is locked, as the intruder detection limits have been exceeded.|NOTE: Returns even if invalid password is presented
/%
/%
/%
!! Setup Used for These Tests
In addition to creating the test accounts, the following also needs to be done:
* The password policy must be setup and assigned to the users. (or the o=test container)
* The o=test container must be setup to "detect intruders".
{{{
# LDIF of locked accounts
# ldapsearch -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isDisabled,o=test,dc=com -w novell "(cn=*)"
# ldapsearch -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w novell "(cn=*)"
version: 1
# isACTIVE,people,willeke,com
dn: uid=isACTIVE,o=test,dc=com
uid: isACTIVE
givenName: IS
sn: ACTIVE
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
userpassword: novell
cn: isACTIVE
# isDisabled,people,willeke,com
dn: uid=isDisabled,o=test,dc=com
employeeType: E
employeeStatus: A
uid: isDisabled
givenName: is
sn: Disabled
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
loginDisabled: TRUE
userpassword: novell
cn: isDisabled
# isINTRUDER,people,willeke,com
dn: uid=isINTRUDER,o=test,dc=com
uid: isINTRUDER
givenName: is
lockedByIntruder: TRUE
sn: INTRUDER
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
loginIntruderResetTime: 20090323114029Z
description: This account is Locked by too Many invlaid login attempts until 2009. Used for Testing.
userpassword: novell
cn: isINTRUDER
# isPWDExpired,people,willeke,com
dn: uid=isPWDExpired,o=test,dc=com
uid: isPWDExpired
givenName: IS
sn: PWDExpired
passwordExpirationTime: 20070102000000Z
passwordExpirationInterval: 4838400
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
userpassword: novell
cn: isPWDExpired
### END OF FILE
}}}
!! Category
%%category [eDirectory]%%
!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [LDAP errors returned when NDS login, password, time and address restrictions are set|https://support.novell.com/docs/Tids/Solutions/10067240.html|target='_blank'] - based on information obtained 2010-10-03
This page (revision-1) was last changed on 29-Nov-2024 16:16 by UnknownAuthorTop