No standard for exposing account state data has been universally adopted by LDAP vendors. This leaves clients with vendor specific solutions that typically fall into the following categories:
use a request/response control
read directory attributes
parse custom error messages/exceptions
The AuthenticationResponseHandler can be leveraged to solve this type of problem by populating the AccountState object of the AuthenticationResponse. AccountState contains Warning and Error types that are common to the most popular policy implementations. AccountState contains the following properties:
date this account will expire
number of logins allowed until the account will start failing
integer code for this error
text for this error
Ldaptive provides several implementations for well-known directories:
If this handler is assigned an expirationPeriod, then the ‘pwdLastSet’ attribute will cause the handler to emit a warning for the pwdLastSet value plus the expiration amount. The scope of that warning can be further narrowed by providing a warningPeriod. By default if the ‘msDS-UserPasswordExpiryTimeComputed’ attribute is found, expirationPeriod is ignored.
eDirectory uses a combination of result messages and attributes to convey account state. In order to parse warnings the required attributes must be requested from the Authenticator. See http://support.novell.com/docs/Tids/Solutions/10067240.html for more discussion and an explanation of error codes.
If this handler is assigned a warningPeriod, this handler will only emit warnings during that window before password expiration. Otherwise, a warning is always emitted if the ‘passwordExpirationTime’ attribute is found.
FreeIPA also uses a combination of result messages and attributes to convey account state.
Ldaptive is an open source project developed and supported by
at Virginia Tech