0 Replies Latest reply on Nov 11, 2005 6:34 PM by 807573

    ADSI does not return proper code for Password Expired

    807573
      We are trying to modify a vendor supplied system to get it to authenticate using our LDAPs. The vendor app is a hybrid IIS ASP/ASP.NET application so it seems necessary to use ADSI for authentication. We have had the solution working for more than a year, but now we want to expire passwords in our LDAP.

      We have been testing with both Netscape Gateway LDAP engine 4.13 and/or Sun One Directory Server Version 5.2. At the moment, the problem I am facing is that I get the same error code from ADSI whether the attempted password is bad or the user DN and password are good but the account has expired. In other words, I cannot differentiate between an expired password and bad typing during the login attempt.

      In either case [bad password or password expired], I get, -2147023570 Automation error Logon failure: unknown user name or bad password. I can log in successfully with an unexpired UID/password using the code so it looks like I have no code error. I have tried several times to make sure I am typing everything OK. My results are consistent.

      I have found example code on the web that suggests I should be seeing the "error -2147016672 (1 from NDS) - password expired".

      Could there be some sort of Netscape or Sun One LDAP configuration parameter that prevents sending the password expired error code/message?

      Any other ideas what might be wrong?

      We've tested using VB, VBScript [directly] and VBScript in ASP. Always the same results.

      Here are the relevant sample lines {in VBScript}
                Set adsDSO = GetObject("LDAP:")
                on error resume next
                Set adsUser = adsDSO.OpenDSObject("LDAP://ourmachine.cusys.edu:portGoesHere/uid=" & UserName & ",o=whatever,c=US", "uid=" & UserName & ",o=whatever,c=US", Password, 0)
                
                if err.number  0 then
                     if err.number = -2147016672 then
                          ' Cannot seem to get here.
                          response.write "Error code: " & err.number & "<P>"
                          response.write "Error code for expired password<P>"
                     elseif err.number = -2147023570 then
                          response.write "Error code: " & err.number & "<P>"
                          response.write "Error code for bad credentials<P>"
                     else 
                          response.write "Error code: " & err.number & "<BR>"
                          response.write err.description & "<P>"
                     ' do more stuff ...