How to recognize distinct validation thrown by LDAP server and flags?

1

1

We are new to LDAP server.

We were able to configure the ldap server with password policies such as

  1. account lock out
  2. Wrong Password
  3. Password expired
  4. 5 times wrong authentication
  5. New password cannot be old password (Password History 5)

using LDAP PPOLICY Configuration

However we have an issue, For all validations thrown, LDAP server does not throw district validations. We want distinct validations.

For example, To show different messages depending upon number of consecutive failed authentication. Also if any account is locked recognizable flag required to display message that account has been locked.

How to recognize them distinctively??

We need to set a GUI on LDAP which prompts appropriate messages on for given validation or flag. Hint.: Logs are saved when validations generated.

Proposed: While saving log if we can also give/broadcast appropriate validation

zedkazi

Posted 2016-03-22T10:17:22.817

Reputation: 11

Answers

0

After a lot of findings, finally found a quick solution on the web. Basically sending a second call just after authentication failed does the job - Thanks to Ricky Poderi

zedkazi

Posted 2016-03-22T10:17:22.817

Reputation: 11

0

Put plainly, this is not possible through regular old LDAP.

The reason why is that, for your first four cases, per the LDAP RFC(4511), you will only receive an error code 49 indicating invalid credentials, and an error 53 in the last case, indicating operation not supported.

The protocol simply doesn't let you explain why the authentication failed, only that it did.

Part of this is for security - this way, an attacker only gets the login failure, they don't get extra information indicating why they failed, which would get them to shift tactics.

You would need some kind of middleware between your client and the LDAP server to handle this logic if you really want the distinct errors, but I strongly recommend you don't pursue this method if you can avoid it.

Mikey T.K.

Posted 2016-03-22T10:17:22.817

Reputation: 3 224

Well we cannot avoid to pursue the requirement. My environment is set to authenticate through LDAP server from multiple user ended applications using same username and password. Also we allow to change passwords from one Intranet Application only. However, we need to show the appropriate messages on all applications. Thus, the question asked. – zedkazi – 2016-03-23T09:09:33.227

Asked: 2016-03-22T10:17:22.817

Viewed: 87 times

Active: 2016-04-24T18:29:50.903