LDAP errors returned when NDS login, password, time and address restrictions are set
(Last modified: 12Feb2003)
This document (10067240) is provided subject to the disclaimer at the end of this document.
goal
LDAP errors returned when NDS login, password, time and address restrictions are set
fact
Novell eDirectory 8.5 for NetWare 5.1
DS.NLM version 85.12A or above
LDAP Error: "49"
LDAP Error: "53"
NDS Error: "login lockout -197"
NDS Error: "maximum logins exceeded or Q stn not server -217"
NDS Error: "bad login time or Q halted -218"
NDS Error: "log account expired -220"
NDS Error: "bad password -222"
NDS Error: "password expired -223"
NDS Error: "failed authentication -669"
fix
The LDAP bind operation initiates a protocol session and (optionally) authenticates a user to the server. The authentication process requires that a user's distinguished name and password be passed as part of the bind. The server will return an LDAPResult upon recieving and processing the bind.
The LDAPResult contains three main fields - resultCode, matchedDN and errorMessage. The resultCode contains the LDAP error number; a code of zero is used to indicate successful completion of the operation. In the case of a bind, this would mean that the user has authenticated successfully. The matchedDN is not used in the bind operation; it will always be a blank string. The errorMessage is vendor defined. If the bind was not successful, the server can include an additional ASCII text message indicating possible causes of the problem.
When NDS password restrictions are set and the authentication fails, the LDAPResult will contain additional information in the errorMessage. In addition, the resultCode could be different than the standard LDAP one indicating an incorrect password. Developers might finds this data helpful in alerting the user to the reason why they couldn't login. For instance, the application could distinguish between a user whose account has been disabled and one who just typed in the wrong password.
The following section details the type of NDS password restriction set and the corresponding resultCode and errorMessage when the user can't authenticate.
Restriction: None
Description: No NDS password restrictions are set. Rather, this details the results when the user has actually typed the wrong password.
resultCode: 49
errorMessage: "NDS error: failed authentication (-669)"
Restriction: Password expired with grace logins remaining
Description: The administrator has set "Force Password Changes" and the user's password has expired. The number of grace logins has been limited, but some are still remaining. (Note: this is a special case. The authentication is still successful since the bind operation can use one of the grace logins.)
resultCode: 0
errorMessage: "NDS error: password expired (-223)"
Restriction: Password expired with no more grace logins
Description: Same as above except all of the grace logins have been used.
resultCode: 49
errorMessage: "NDS error: bad password (-222)"
Restriction: Account Disabled
Description: The administrator has manually disabled the user's account in Console One or nwadmin.
resultCode: 53
errorMessage: "NDS error: log account expired (-220)"
Restriction: Expired Account
Description: The administrator has set an expiration date and time for this user, and that date/time has already passed.
resultCode: 53
errorMessage: "NDS error: log account expired (-220)"
Restriction: Concurrent Connections Exceeded
Description: The administrator has limited the number of concurrent connections for the user, e.g. one connection. She is already authenticated through the client, so she can't open another connection via a bind operation.
resultCode: 53
errorMessage: "NDS error: maximum logins exceeded or Q stn not server (-217)"
Restriction: Login Time Limited
Description: The administrator has setup login time restrictions for the user, and she is attempting to authenticate outside of the allowed time.
resultCode: 53
errorMessage: "NDS error: bad login time or Q halted (-218)"
Restriction: Network Addresses Limited
Description: The administrator has setup network address restrictions for the user, and she is attempting to authenticate from a workstation outside of this list. (Note: this restriction is not currently enforced through LDAP. The user will be able to authenticate successfully.)
resultCode: 0
errorMessage: None
Restriction: Intruder Lockout
Description: The account is locked, as the intruder detection limits have been exceeded.
resultCode: 53
errorMessage: "NDS error: login lockout (-197)"
.
document
Document Title: | LDAP errors returned when NDS login, password, time and address restrictions are set |
Document ID: | 10067240 |
Solution ID: | NOVL67740 |
Creation Date: | 03Jan2002 |
Modified Date: | 12Feb2003 |
Novell Product Class: | Groupware Novell eDirectory |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.