Hi again. I'm getting and handling the ASN.1 messages for when a password is about to expire, and grace logins left and cases where there's no exception. However, if there's an exception, the response controls are null. In the debugger, I see my response control present in the LdapContext but the moment, I step over ctx.modifyAttributes(strDn, mods);
and for example an javax.naming.directory.InvalidAttributeValueException is thrown for: : Password should have a minmum of 6 characters Or : invalid reuse of password present in password history] The LdapContext is still valid but the response controls are set null? I've observed this by stepping through the code. I was hoping to catch the reason in the ASN message and handle the failure appropriately from there. Thank you, Carlo Accorsi -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Kiran Ayyagari Sent: Tuesday, November 15, 2011 1:57 PM To: [email protected] Subject: Re: ApacheDS differentiating Authentication Exceptions On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <[email protected]> wrote: > On 11/15/11 7:11 PM, [email protected] wrote: >> >> Ok, when I try and bind with an expired password and all grace logins >> are spent, this exception is thrown: >> >> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 >> - >> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace >> logins were used] >> >> >> And in the LdapContext. getResponseControls() encodedValue there is >> this small byte array: >> >> [48, 3, -127, 1, 0] >> >> Does anyone know how to interpret or decode this? > > This stands for > 0x30 0x03 > 0x81 0x01 0x00 > > which means, when correlated with the ASN.1 grammar : > > PasswordPolicyResponseValue ::= SEQUENCE { > warning [0] CHOICE { > timeBeforeExpiration [0] INTEGER (0 .. maxInt), > graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, > error [1] ENUMERATED { > passwordExpired (0), > accountLocked (1), > changeAfterReset (2), > passwordModNotAllowed (3), > mustSupplyOldPassword (4), > insufficientPasswordQuality (5), > passwordTooShort (6), > passwordTooYoung (7), > passwordInHistory (8) } OPTIONAL } > > 0x30 0x03 : SEQUENCE, 3 bytes length > 0x81 : error [1] (would have been 0x80 for a warning) > 0x01 : one byte length > 0x00 : passwordExpired. > > ASN1 can be fun, but only for people who like this part of Pulp Fiction : > http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage > there goes the Christopher Nolan of ASN1 :) thanks for putting many details than the one I was about to send. OTOH, Carlo - take a look at the control's source present here [1], you need not(and might not) use all of it, but some parts can be reused [1] http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/codec-api/src/main/java/org/apache/directory/shared/ldap/extras/controls/ppolicy > > -- > Regards, > Cordialement, > Emmanuel Lécharny > www.iktek.com > > -- Kiran Ayyagari
