如何解决当“用户必须在下次登录时更改密码”时,LDAP验证失败有什么办法吗?
| 设置了“用户必须在下次登录时更改密码”时,我无法进行用户验证。 这是我验证用户的方式:Boolean ValidateUser(String userName,String password)
{
try
{
var userOk = new DirectoryEntry(\"LDAP://<my LDAP server>\",userName,password,AuthenticationTypes.Secure
| AuthenticationTypes.ServerBind);
return true;
}
catch (COMException ex)
{
if (ex.ErrorCode == -2147023570) // 0x8007052E -- Wrong user or password
return false;
else
throw;
}
}
解决方法
在Internet上进行了长时间的搜索,一些错误消息的经验性工作以及Win32API的一些摸索之后,我想出了一个可行的解决方案。
Boolean ValidateUser(String userName,String password)
{
try
{
var user = new DirectoryEntry(\"LDAP://<my LDAP server>\",userName,password);
var obj = user.NativeObject;
return true;
}
catch (DirectoryServicesCOMException ex)
{
/*
* The string \" 773,\" was discovered empirically and it is related to the
* ERROR_PASSWORD_MUST_CHANGE = 0x773 that is returned by the LogonUser API.
*
* However this error code is not in any value field of the
* error message,therefore we need to check for the existence of
* the string in the error message.
*/
if (ex.ExtendedErrorMessage.Contains(\" 773,\"))
throw new UserMustChangePasswordException();
return false;
}
catch
{
throw;
}
}
LDAP_UF_ACCOUNT_DISABLE = 2
LDAP_UF_HOMEDIR_REQUIRED = 8
LDAP_UF_LOCKOUT = 16
LDAP_UF_PASSWD_NOTREQD = 32
LDAP_UF_PASSWD_CANT_CHANGE = 64
LDAP_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED = 128
LDAP_UF_NORMAL_ACCOUNT = 512
LDAP_UF_INTERDOMAIN_TRUST_ACCOUNT = 2048
LDAP_UF_WORKSTATION_TRUST_ACCOUNT = 4096
LDAP_UF_SERVER_TRUST_ACCOUNT = 8192
LDAP_UF_DONT_EXPIRE_PASSWD = 65536
LDAP_UF_MNS_LOGON_ACCOUNT = 131072
LDAP_UF_SMARTCARD_REQUIRED = 262144
LDAP_UF_TRUSTED_FOR_DELEGATION = 524288
LDAP_UF_NOT_DELEGATED = 1048576
LDAP_UF_USE_DES_KEY_ONLY = 2097152
LDAP_UF_DONT_REQUIRE_PREAUTH = 4194304
LDAP_UF_PASSWORD_EXPIRED = 8388608
LDAP_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION = 16777216
LDAP_UF_NO_AUTH_DATA_REQUIRED = 33554432
LDAP_UF_PARTIAL_SECRETS_ACCOUNT = 67108864
Catch ex As DirectoryServicesCOMException
Dim msg As String = Nothing
Select Case True
Case ex.ExtendedErrorMessage.Contains(\"773\")
msg = \"Error 773. User must change password at next logon is set. Please contact support.\"
Case ex.ExtendedErrorMessage.Contains(\"525\")
msg = \"User not found\"
Case ex.ExtendedErrorMessage.Contains(\"52e\")
msg = \"Invalid credentials\"
Case ex.ExtendedErrorMessage.Contains(\"530\")
msg = \"Not permitted to logon at this time\"
Case ex.ExtendedErrorMessage.Contains(\"531\")
msg = \"Not permitted to logon at this workstation\"
Case ex.ExtendedErrorMessage.Contains(\"532\")
msg = \"Password expired\"
Case ex.ExtendedErrorMessage.Contains(\"533\")
msg = \"Account disabled\"
Case ex.ExtendedErrorMessage.Contains(\"701\")
msg = \"Account expired\"
Case ex.ExtendedErrorMessage.Contains(\"775\")
msg = \"User account is locked\"
End Select
If msg IsNot Nothing Then
errorLabel.Text = ex.Message & \" \" & msg
Else
errorLabel.Text = ex.Message
End If
End Try
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
