<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
As with most [LDAP Server Implementations], [EDirectory] provides some extended [LDAP Result Codes] that can help you determine more specific reasons for [Authentication Failures].

!! [EDirectory] [LDAP] [Result Codes] sub-codes for [Bind Response]:
%%zebra-table
%%sortable
%%table-filter
||[LDAP Code|LDAP Result Codes]||[Hex]||[DEC]||Short Description||More Information|Comments
|[49|LDAP_INVALID_CREDENTIALS]|FFFFFD63|-669|[LDAP_NO_SUCH_OBJECT]|Returns when [DN] or [password]/[credential] is invalid.|No [password Policy], [Account Restrictions] or [Time Restrictions] are set. Rather, this details the results when the user has actually typed the wrong password or [DN] (In eDirectory 8.8 SP1, a security enhancement was made when an invalid user does a Ldap bind. The return code for an invalid user now returns -669, instead of -601.
|[49|LDAP_INVALID_CREDENTIALS]|FFFFFD63|-669|[ERROR_LOGON_FAILURE]|Returns when [DN] or [password]/[credential] is invalid.|No [password Policy], [Account Restrictions] or [Time Restrictions] are set. Rather, this details the results when the user has actually typed the wrong password or [DN]
|[0|LDAP_SUCCESS]|FFFFFF21|-223|[ERROR_PASSWORD_EXPIRED]|[Password Expiration]: Password expired with [Grace Logins] remaining - [ERROR_PASSWORD_EXPIRED]|The administrator has set &quot;Force [Password Changes]&quot; and the user's password has expired.  The number of grace logins has been limited, but some are still remaining.NOTE: this is a special case.  The [authentication] is still successful since the bind operation can use one of the [Grace Logins]
|[49|LDAP_INVALID_CREDENTIALS]|FFFFFF22|-222|[ERROR_PASSWORD_EXPIRED]|[Password Expiration]: [ERROR_PASSWORD_EXPIRED]|[Password] expired with no more [Grace Logins]
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF24|-220|[ERROR_ACCOUNT_DISABLED|ACCOUNTDISABLE]|[Administratively Disabled]|NOTE: Returns only when presented with valid [username] and [password]/[credential]. 
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF24|-220|[ERROR_ACCOUNT_DISABLED|ACCOUNTDISABLE]|[Account Restriction]: [LoginExpirationTime] has been exceeded|NOTE: Returns only when presented with valid [username] and [password]/[credential].
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF26|-218|[ERROR_INVALID_LOGON_HOURS]|[Time Restriction]:Entry logon time restriction violation| The administrator has setup login [Time Restrictions] for the user, and she is attempting to authenticate outside of the allowed time.
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF27 |-217|[MAXIMUM_LOGINS_EXCEEDED]|[Account Restriction]: [Concurrent Connections Exceeded|LoginMaximumSimultaneous]|An attempt was made to log in using an account that has limits on the number of concurrent connections ([LoginMaximumSimultaneous]), and that number has been reached.
|[0|LDAP_SUCCESS]|FFFFFF25|-219|[ERROR_INVALID_WORKSTATION]|[Device Restriction]: Network Addresses Limited|An attempt to log in was made from an unauthorized station using an account with limits to a specific network and or station. (Note: this restriction is __NOT__ currently enforced through [LDAP]. The user will be able to authenticate successfully.)
|[53|LDAP_UNWILLING_TO_PERFORM]|FFFFFF3B|-197|[ERROR_ACCOUNT_LOCKED_OUT]|[Intruder Detection]:The account is locked, as the intruder detection limits have been exceeded.|NOTE: Returns even if invalid password is presented 
/%
/%
/%

!! Setup Used for These Tests
In addition to creating the test accounts, the following also needs to be done:
* The password policy must be setup and assigned to the users. (or the o=test container)
* The o=test container must be setup to &quot;detect intruders&quot;.
{{{
# LDIF of locked accounts
# ldapsearch  -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isDisabled,o=test,dc=com -w novell &quot;(cn=*)&quot;
# ldapsearch  -h ldap.willeke.com -b o=test,dc=com -s sub -D uid=isINTRUDER,o=test,dc=com -w novell &quot;(cn=*)&quot;
version: 1

# isACTIVE,people,willeke,com
dn: uid=isACTIVE,o=test,dc=com
uid: isACTIVE
givenName: IS
sn: ACTIVE
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
userpassword: novell
cn: isACTIVE

# isDisabled,people,willeke,com
dn: uid=isDisabled,o=test,dc=com
employeeType: E
employeeStatus: A
uid: isDisabled
givenName: is
sn: Disabled
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: Person
objectClass: ndsLoginProperties
objectClass: Top
loginDisabled: TRUE
userpassword: novell
cn: isDisabled

# isINTRUDER,people,willeke,com
dn: uid=isINTRUDER,o=test,dc=com
uid: isINTRUDER
givenName: is
lockedByIntruder: TRUE
sn: INTRUDER
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
loginIntruderResetTime: 20090323114029Z
description: This account is Locked by too Many invlaid login attempts until 2009. Used for Testing.
userpassword: novell
cn: isINTRUDER

# isPWDExpired,people,willeke,com
dn: uid=isPWDExpired,o=test,dc=com
uid: isPWDExpired
givenName: IS
sn: PWDExpired
passwordExpirationTime: 20070102000000Z
passwordExpirationInterval: 4838400
objectClass: Top
objectClass: Person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: ndsLoginProperties
userpassword: novell
cn: isPWDExpired

### END OF FILE
}}}

!! Category
%%category [eDirectory]%%








!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [LDAP errors returned when NDS login, password, time and address restrictions are set|https://support.novell.com/docs/Tids/Solutions/10067240.html|target='_blank'] - based on information obtained 2010-10-03
</pre>