most likely it could be a bug, will check that On Fri, Nov 18, 2011 at 6:09 AM, <[email protected]> wrote: > Hi again. I'm getting and handling the ASN.1 messages for when a password is > about to expire, and grace logins left and cases where there's no exception. > However, if there's an exception, the response controls are null. In the > debugger, I see my response control present in the LdapContext but the > moment, I step over > ctx.modifyAttributes(strDn, mods); > > and for example an javax.naming.directory.InvalidAttributeValueException is > thrown for: > > : Password should have a minmum of 6 characters > Or > : invalid reuse of password present in password history] > > The LdapContext is still valid but the response controls are set null? I've > observed this by stepping through the code. > I was hoping to catch the reason in the ASN message and handle the failure > appropriately from there. > > > Thank you, > Carlo Accorsi > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of > Kiran Ayyagari > Sent: Tuesday, November 15, 2011 1:57 PM > To: [email protected] > Subject: Re: ApacheDS differentiating Authentication Exceptions > > On Tue, Nov 15, 2011 at 1:47 PM, Emmanuel Lecharny <[email protected]> > wrote: >> On 11/15/11 7:11 PM, [email protected] wrote: >>> >>> Ok, when I try and bind with an expired password and all grace logins >>> are spent, this exception is thrown: >>> >>> Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 >>> - >>> INVALID_CREDENTIALS: Bind failed: paasword expired and max grace >>> logins were used] >>> >>> >>> And in the LdapContext. getResponseControls() encodedValue there is >>> this small byte array: >>> >>> [48, 3, -127, 1, 0] >>> >>> Does anyone know how to interpret or decode this? >> >> This stands for >> 0x30 0x03 >> 0x81 0x01 0x00 >> >> which means, when correlated with the ASN.1 grammar : >> >> PasswordPolicyResponseValue ::= SEQUENCE { >> warning [0] CHOICE { >> timeBeforeExpiration [0] INTEGER (0 .. maxInt), >> graceAuthNsRemaining [1] INTEGER (0 .. maxInt) } OPTIONAL, >> error [1] ENUMERATED { >> passwordExpired (0), >> accountLocked (1), >> changeAfterReset (2), >> passwordModNotAllowed (3), >> mustSupplyOldPassword (4), >> insufficientPasswordQuality (5), >> passwordTooShort (6), >> passwordTooYoung (7), >> passwordInHistory (8) } OPTIONAL } >> >> 0x30 0x03 : SEQUENCE, 3 bytes length >> 0x81 : error [1] (would have been 0x80 for a warning) >> 0x01 : one byte length >> 0x00 : passwordExpired. >> >> ASN1 can be fun, but only for people who like this part of Pulp Fiction : >> http://www.youtube.com/watch?v=wN2-I31Imis&feature=player_detailpage >> > there goes the Christopher Nolan of ASN1 :) thanks for putting many details > than the one I was about to send. > > OTOH, Carlo - > take a look at the control's source present here [1], you need not(and might > not) use all of it, but some parts can be reused > > [1] > http://svn.apache.org/repos/asf/directory/shared/trunk/ldap/extras/codec-api/src/main/java/org/apache/directory/shared/ldap/extras/controls/ppolicy >> >> -- >> Regards, >> Cordialement, >> Emmanuel Lécharny >> www.iktek.com >> >> > > > > -- > Kiran Ayyagari >
-- Kiran Ayyagari
