当前位置: 文江博客话题详情

区分 InvalidAttributeValueException 的原因

发布于 2025-01-08 13:55:37 字数 582 浏览 0 评论 0原文

我尝试通过 InvalidAttributeValueException 实例确定 LDAP 错误代码 19(密码策略错误)的原因是什么,以便我能够在 UI 中显示信息丰富的错误消息。

我当前使用的 LDAP 服务是 openLDAP(作为应用程序中的嵌入式 LDAP),它提供了一条信息丰富的消息,足以显示(即 "[LDAP: 错误代码 19 - 密码未通过质量检查策略]" & "[LDAP: 错误代码 19 - 密码在旧密码历史记录中]")

但现在我想支持 Active Directory &其他 LDAP 提供程序(将是外部的),以及我在 rfc2251 和各种其他来源中看到的内容 - 每个实现都会放置自己的异常消息,唯一的标准是映射到 InvalidAttributeValueException 而不是具体问题。

是否有一种解决方案(即使是部分解决方案)来区分错误代码 19 的不同原因? 有没有办法在给定 InvalidAttributeValueException 实例的情况下查询 LDAP 以获取该问题的答案?

谢谢

原文

I'm trying to determine via InvalidAttributeValueException instance, what was the cause for the LDAP error code 19 (password policy error) so I will be able to display an informative error message in the UI.

The current LDAP service I'm using is openLDAP (as an embedded LDAP in the application) and it provides a pretty informative message that was good enough to display (i.e. "[LDAP: error code 19 - Password fails quality checking policy]" & "[LDAP: error code 19 - Password is in history of old passwords]")

But now I want to support Active Directory & other LDAP providers (that will be external), and from what I've seen in rfc2251 and various other sources - every implementation puts it's own exception message and the only standard thing is the error code 19 mapping to InvalidAttributeValueException and not to a specific issue.

Is there a solution (even a partial one) for differentiating between the different causes of an error code 19?
Is there a way, given an InvalidAttributeValueException instance, to query the LDAP for an answer to that question?

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

美人骨 2025-01-15 13:55:37

我上面的评论适用于通用 LDAP API,但我忘记了一些主要内容。您需要调查 https 中指定的请求和响应控制://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10。这在 OpenLDAP 中确实有效,但我不能说 Active Directory 是否支持它。我有支持它的 Java JNDI 代码,欢迎您使用。 PasswordPolicyResponseControl 可以返回以下内容:

/** Warning codes. */
public enum Warning
{
    /** Password expiration warning.*/
    timeBeforeExpiration,
    /** Grace logins warning.*/
    graceAuthNsRemaining,
    none;
}

/** Error codes. */
public enum Error
{
    /** The password has expired.*/
    passwordExpired,
    /**
     * The account has been locked, either by an administrator
     * or as a result of too many failed login attempts.
     */
    accountLocked,
    /**
     * The password has been reset by an administrator and must be changed immediately.
     */
    changeAfterReset,
    /**
     * The password policy does not permit the user to change his password.
     */
    passwordModNotAllowed,
    /**
     * The password policy requires the old password to be supplied
     * when changing passwords.
     * This indicates a programming error in the client.
     */
    mustSupplyOldPassword,
    /**
     * The new password has failed the quality check.
     */
    insufficientPasswordQuality,
    /**
     * The new password is too short.
     */
    passwordTooShort,
    /**
     * The current password is too new to change yet.
     */
    passwordTooYoung,
    /**
     * The password policy specifies keeping a password history
     * and the new password is already in it.
     */
    passwordInHistory,
    /**
     * Error parsing the response control.
     * This indicates a programming error either in this
     * class or in the LDAP server.
     */
    unparseableResponseControl,
    /**
     * No additional information.
     * This can be seen e.g. when the user simply logs
     * in with the wrong password.
     */
    none;
};

My comments above apply to the generic LDAP API, but I had forgotten something major. You need to investigate the request and response controls specified in https://datatracker.ietf.org/doc/html/draft-behera-ldap-password-policy-10. This does work in OpenLDAP but I can't say whether it is supported by Active Directory. I have Java JNDI code that supports it which you are welcome to. The PasswordPolicyResponseControl can return the following:

/** Warning codes. */
public enum Warning
{
    /** Password expiration warning.*/
    timeBeforeExpiration,
    /** Grace logins warning.*/
    graceAuthNsRemaining,
    none;
}

/** Error codes. */
public enum Error
{
    /** The password has expired.*/
    passwordExpired,
    /**
     * The account has been locked, either by an administrator
     * or as a result of too many failed login attempts.
     */
    accountLocked,
    /**
     * The password has been reset by an administrator and must be changed immediately.
     */
    changeAfterReset,
    /**
     * The password policy does not permit the user to change his password.
     */
    passwordModNotAllowed,
    /**
     * The password policy requires the old password to be supplied
     * when changing passwords.
     * This indicates a programming error in the client.
     */
    mustSupplyOldPassword,
    /**
     * The new password has failed the quality check.
     */
    insufficientPasswordQuality,
    /**
     * The new password is too short.
     */
    passwordTooShort,
    /**
     * The current password is too new to change yet.
     */
    passwordTooYoung,
    /**
     * The password policy specifies keeping a password history
     * and the new password is already in it.
     */
    passwordInHistory,
    /**
     * Error parsing the response control.
     * This indicates a programming error either in this
     * class or in the LDAP server.
     */
    unparseableResponseControl,
    /**
     * No additional information.
     * This can be seen e.g. when the user simply logs
     * in with the wrong password.
     */
    none;
};
回复 原文
天冷不及心凉 2025-01-15 13:55:37

查看 给定异常的规范,您可以找到以下内容:

  • 原因会因实现而异,在构造函数变体中给出

InvalidAttributeValueException(Stringterpretation)

  • 它有一个方法调用它:

exception.getExplanation()

,它给出了构造函数中放入的值。

由于构造函数将值视为字符串而不是枚举,因此在对不同的解决方案进行编码时,可能无法获取每个编码器赋予该值的值列表。因此,正如您所发现的,每个人都会写下他们认为合适的内容:所有事物都不同,因此会写出其他内容。

这就是我可以通过规格说的。

Looking in the specs of the given exception you can find out the following:

  • The cause, which will vary by the implementation is given in the constructor variant

InvalidAttributeValueException(String explanation)

  • it has a method to call it:

exception.getExplanation()

which gives the value put in with the constructor.

Because the constructor takes the value as a String, not an enum, it may be impossible to get a list of values each coder has put to this value when coding the different solutions. So, as you found out, everyone writes what they find appropriate: all things differently and thus write other things.

That's what I can say by the specs.

回复 原文
~没有更多了~

关于作者

超可爱的懒熊

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

佚名

文章 0 评论 0

羁客

文章 0 评论 0

天天爱笑的徐老师

文章 0 评论 0

文章 0 评论 0

夏日落

文章 0 评论 0

隐诗

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文