You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Gary V (Jira)" <ji...@apache.org> on 2022/01/20 18:31:00 UTC

[jira] [Commented] (GUACAMOLE-1296) Add support for LDAP/AD password expiration and reset

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1296?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17479582#comment-17479582 ] 

Gary V commented on GUACAMOLE-1296:
-----------------------------------

[~vnick] :

Sorry for this late response.

The wording of my bugreport was altered, that kind of changed my whole message... :)

My idea is that this errorcode 773 should be accepted as having given the correct credentials; errorcode 52e is INVALID_CREDENTIALS. When the rdp-session is then started, windows itself will present a change-password screen.

As i write this, i must admit i'm not using nla, but rdp auth because i cant get nla working with the openid-module, but thats a different issue :P

The workaround I used, which was setting the users temporary password to both the users account in Windows as the users account in the sql-database, works because the ldap-module fails on the error 773, after which it falls back to sql, and then the same credentials are accepted.

[https://dotcms.com/docs/latest/active-directory-error-codes|http://example.com/]

> Add support for LDAP/AD password expiration and reset
> -----------------------------------------------------
>
>                 Key: GUACAMOLE-1296
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1296
>             Project: Guacamole
>          Issue Type: New Feature
>          Components: guacamole-auth-ldap
>    Affects Versions: 1.3.0
>            Reporter: Gary V
>            Priority: Minor
>
> Guacamole login fails when a user is required to set a new AD password after first login.
> When a user logs in, AD returns code 773, which implies the authorization is correct but a new password must be set immediately in the remote session.
> Guacamole login fails.
>  
> Hint from catalina.out:
> {{Message ID : 1}}
>  \{{ BindResponse}}
>  \{{ Ldap Result}}
>  \{{ Result code : (INVALID_CREDENTIALS) invalidCredentials}}
>  \{{ Matched Dn : ''}}
>  \{{ Diagnostic message : '80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 773, v4563^@'}}
>  
> Edit some hours later:
> I was able to workaround the problem by setting the password of the users account to the same default password as set in AD. Then the login succeeded, Windows forced the user to change password, and the user was then able to login with the new username/password combo.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)