我正在尝试通过 InvalidAttributeValueException 实例确定 LDAP 错误代码 19(密码策略错误)的原因,以便我能够在 UI 中显示信息性错误消息。
我当前使用的 LDAP 服务是 openLDAP(作为应用程序中的嵌入式 LDAP),它提供了一个非常有用的信息,足以显示(即 "[LDAP: error code 19 - Password fails质量检查政策]" & "[LDAP:错误代码 19 - 密码在旧密码的历史记录中]")
但现在我想支持 Active Directory 和其他 LDAP 提供程序(将是外部的),从我在 rfc2251 和其他各种来源中看到的情况来看 - 每个实现都有自己的异常消息,唯一的标准是错误代码 19 映射到 InvalidAttributeValueException 而不是特定问题。
是否有解决方案(即使是部分解决方案)来区分错误代码 19 的不同原因?
有没有办法在给定 InvalidAttributeValueException 实例的情况下查询 LDAP 以获取该问题的答案?
谢谢
最佳答案
我上面的评论适用于通用 LDAP API,但我忘记了一些重要的事情。您需要调查 https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10 中指定的请求和响应控制.这在 OpenLDAP 中确实有效,但我不能说 Active Directory 是否支持它。我有支持它的 Java JNDI 代码,欢迎您使用。 PasswordPolicyResponseControl 可以返回以下内容:
/** Warning codes. */
public enum Warning
{
/** Password expiration warning.*/
timeBeforeExpiration,
/** Grace logins warning.*/
graceAuthNsRemaining,
none;
}
/** Error codes. */
public enum Error
{
/** The password has expired.*/
passwordExpired,
/**
* The account has been locked, either by an administrator
* or as a result of too many failed login attempts.
*/
accountLocked,
/**
* The password has been reset by an administrator and must be changed immediately.
*/
changeAfterReset,
/**
* The password policy does not permit the user to change his password.
*/
passwordModNotAllowed,
/**
* The password policy requires the old password to be supplied
* when changing passwords.
* This indicates a programming error in the client.
*/
mustSupplyOldPassword,
/**
* The new password has failed the quality check.
*/
insufficientPasswordQuality,
/**
* The new password is too short.
*/
passwordTooShort,
/**
* The current password is too new to change yet.
*/
passwordTooYoung,
/**
* The password policy specifies keeping a password history
* and the new password is already in it.
*/
passwordInHistory,
/**
* Error parsing the response control.
* This indicates a programming error either in this
* class or in the LDAP server.
*/
unparseableResponseControl,
/**
* No additional information.
* This can be seen e.g. when the user simply logs
* in with the wrong password.
*/
none;
};
关于java - 区分 InvalidAttributeValueException 的原因,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/9412315/