Overview#
As with most LDAP Server Implementations, EDirectory provides some extended LDAP Result Codes that can help you determine more specific reasons for Authentication Failures.EDirectory LDAP Result Codes sub-codes for Bind Response:#
| LDAP Code | Hex | DEC | Short Description | More Information | Comments |
|---|---|---|---|---|---|
| 49 | FFFFFD63 | -669 | LDAP_NO_SUCH_OBJECT | Returns when DN or password/credential is invalid. | No password Policy, Account Restrictions or Time Restrictions are set. Rather, this details the results when the user has actually typed the wrong password or DN (In eDirectory 8.8 SP1, a security enhancement was made when an invalid user does a Ldap bind. The return code for an invalid user now returns -669, instead of -601. |
| 49 | FFFFFD63 | -669 | ERROR_LOGON_FAILURE | Returns when DN or password/credential is invalid. | No password Policy, Account Restrictions or Time Restrictions are set. Rather, this details the results when the user has actually typed the wrong password or DN |
| 0 | FFFFFF21 | -223 | ERROR_PASSWORD_EXPIRED | Password Expiration: Password expired with Grace Logins remaining - ERROR_PASSWORD_EXPIRED | The administrator has set "Force Password Changes" and the user's password has expired. The number of grace logins has been limited, but some are still remaining.NOTE: this is a special case. The authentication is still successful since the bind operation can use one of the Grace Logins |
| 49 | FFFFFF22 | -222 | ERROR_PASSWORD_EXPIRED | Password Expiration: ERROR_PASSWORD_EXPIRED | Password expired with no more Grace Logins |
| 53 | FFFFFF24 | -220 | ERROR_ACCOUNT_DISABLED | Administratively Disabled | NOTE: Returns only when presented with valid username and password/credential. |
| 53 | FFFFFF24 | -220 | ERROR_ACCOUNT_DISABLED | Account Restriction: LoginExpirationTime has been exceeded | NOTE: Returns only when presented with valid username and password/credential. |
| 53 | FFFFFF26 | -218 | ERROR_INVALID_LOGON_HOURS | Time Restriction:Entry logon time restriction violation | The administrator has setup login Time Restrictions for the user, and she is attempting to authenticate outside of the allowed time. |
| 53 | FFFFFF27 | -217 | MAXIMUM_LOGINS_EXCEEDED | Account Restriction: Concurrent Connections Exceeded | An attempt was made to log in using an account that has limits on the number of concurrent connections (LoginMaximumSimultaneous), and that number has been reached. |
| 0 | FFFFFF25 | -219 | ERROR_INVALID_WORKSTATION | Device Restriction: Network Addresses Limited | An attempt to log in was made from an unauthorized station using an account with limits to a specific network and or station. (Note: this restriction is NOT currently enforced through LDAP. The user will be able to authenticate successfully.) |
| 53 | FFFFFF3B | -197 | ERROR_ACCOUNT_LOCKED_OUT | Intruder Detection:The account is locked, as the intruder detection limits have been exceeded. | NOTE: Returns even if invalid password is presented |
Setup Used for These Tests#
In addition to creating the test accounts, the following also needs to be done:- The password policy must be setup and assigned to the users. (or the o=test container)
- The o=test container must be setup to "detect intruders".
# LDIF of locked accounts # ldapsearch -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isDisabled,o=test,dc=com -w novell "(cn=*)" # ldapsearch -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w novell "(cn=*)" version: 1 # isACTIVE,people,willeke,com dn: uid=isACTIVE,o=test,dc=com uid: isACTIVE givenName: IS sn: ACTIVE objectClass: Top objectClass: Person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: ndsLoginProperties userpassword: novell cn: isACTIVE # isDisabled,people,willeke,com dn: uid=isDisabled,o=test,dc=com employeeType: E employeeStatus: A uid: isDisabled givenName: is sn: Disabled objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: Person objectClass: ndsLoginProperties objectClass: Top loginDisabled: TRUE userpassword: novell cn: isDisabled # isINTRUDER,people,willeke,com dn: uid=isINTRUDER,o=test,dc=com uid: isINTRUDER givenName: is lockedByIntruder: TRUE sn: INTRUDER objectClass: Top objectClass: Person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: ndsLoginProperties loginIntruderResetTime: 20090323114029Z description: This account is Locked by too Many invlaid login attempts until 2009. Used for Testing. userpassword: novell cn: isINTRUDER # isPWDExpired,people,willeke,com dn: uid=isPWDExpired,o=test,dc=com uid: isPWDExpired givenName: IS sn: PWDExpired passwordExpirationTime: 20070102000000Z passwordExpirationInterval: 4838400 objectClass: Top objectClass: Person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: ndsLoginProperties userpassword: novell cn: isPWDExpired ### END OF FILE
Category#
eDirectoryMore Information#
There might be more information for this subject on one of the following:- [#1] - LDAP errors returned when NDS login, password, time and address restrictions are set
- based on information obtained 2010-10-03