Active Directory LDAP Errors

Something I’ve copied from here: http://forum.java.sun.com/thread.jspa?messageID=4227692

Thanks Dave!

Just to find it easily:

Common Active Directory LDAP bind errors:

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 525, v893
HEX: 0×525 – user not found
DEC: 1317 – ERROR_NO_SUCH_USER (The specified account does not exist.)
NOTE: Returns when username is invalid.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 52e, v893
HEX: 0×52e – invalid credentials
DEC: 1326 – ERROR_LOGON_FAILURE (Logon failure: unknown user name or bad password.)
NOTE: Returns when username is valid but password/credential is invalid. Will prevent most other errors from being displayed as noted.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 530, v893
HEX: 0×530 – not permitted to logon at this time
DEC: 1328 – ERROR_INVALID_LOGON_HOURS (Logon failure: account logon time restriction violation.)
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 531, v893
HEX: 0×531 – not permitted to logon from this workstation
DEC: 1329 – ERROR_INVALID_WORKSTATION (Logon failure: user not allowed to log on to this computer.)
LDAP[userWorkstations: <multivalued list of workstation names>]
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 532, v893
HEX: 0×532 – password expired
DEC: 1330 – ERROR_PASSWORD_EXPIRED (Logon failure: the specified account password has expired.)
LDAP[userAccountControl: <bitmask=0x00800000>] – PASSWORDEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 533, v893
HEX: 0×533 – account disabled
DEC: 1331 – ERROR_ACCOUNT_DISABLED (Logon failure: account currently disabled.)
LDAP[userAccountControl: <bitmask=0x00000002>] – ACCOUNTDISABLE
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 701, v893
HEX: 0×701 – account expired
DEC: 1793 – ERROR_ACCOUNT_EXPIRED (The user’s account has expired.)
LDAP[accountExpires: <value of -1, 0, or extemely large value indicates account will not expire>] – ACCOUNTEXPIRED
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773, v893
HEX: 0×773 – user must reset password
DEC: 1907 – ERROR_PASSWORD_MUST_CHANGE (The user’s password must be changed before logging on the first time.)
LDAP[pwdLastSet: <value of 0 indicates admin-required password change>] – MUST_CHANGE_PASSWD
NOTE: Returns only when presented with valid username and password/credential.

80090308: LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 775, v893
HEX: 0×775 – account locked out
DEC: 1909 – ERROR_ACCOUNT_LOCKED_OUT (The referenced account is currently locked out and may not be logged on to.)
LDAP[userAccountControl: <bitmask=0x00000010>] – LOCKOUT
NOTE: Returns even if invalid password is presented.

JBoss and JAAS debug

I’m having a lot of problems debugging an application that is supposedly to be able to run on JBoss…

One of the main issues is the authentication process between the Web Container and the EJB container. For authentication the Java JAAS architecture is used. Jboss has different configuration files than BEA or WebSphere, namely the configuration file login-config.xml. In this file an application policy is defined, namely how users are validated: if they use a file with user/password, database or LDAP. In this file an application policy used by the EJB and WEB cointaner must be defined (it can be the same).

On the Web container/application side, the jboss-web.xml file on the WEB-INF folder of the Web application has the Authentication domain used for login that, of course, must match the other configuration files, in this case the login-config.xml file and the web.xml file. The web.xml file must also protect the resources that access the EJB container. This means that users must pass container authentication so a JAAS instantiation is built.

So the quick tip is:

1) Make sure that everything connects: login-config.xml<-> jboss-web.xml <-> web.xml

Content of jboss-web.xml file on the Web application WEB-INF directory:

<jboss-web><security-domain>java:/jaas/APPLICATION_DOMAIN</security-domain></jboss-web>

2) Make sure that on your web.xml file the <realm-name> on the <login-config> section matches the name on the security domain, in this case APPLICATION_DOMAIN.

3) On Jboss login-config.xml file a there should be also an <application-policy name=”APPLICATION_DOMAIN”> with the configuration that you need (Database module, LDAP module.

But this might be not enough, so if you need to debug the JAAS, you can add to the log4j.xml file the following:

On the log4j.xml file add the following sections:

<category name="org.jboss.security">
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
    <appender-ref ref="SECURITY_F"/>
</category> <appender name="SECURITY_F"
    class='org.jboss.logging.appender.DailyRollingFileAppender'>
    <param name="Append" value="true"/>
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
    <param name="File"
    value="${jboss.server.home.dir}/log/jboss.security.log"/>
    <layout class="org.apache.log4j.PatternLayout">
        <param name="ConversionPattern"
            value="%d{ABSOLUTE} %-5p [%c] %m%n"/>
    </layout>
</appender>

This is more or les in the middle of the file, just where the <category-name> section begins.

With this configuration a new log file named jboss.security.log will be created with the JAAS information, so you can see what’s going on.

 

(K)Ubuntu and Visio Clone (Part II)

I’ve tried DIA http://live.gnome.org/Dia to make some network/deployment architectures graphics.

My impressions:

- I took me a while to understand how I add elements (in my case network elements) to the canvas.

- DIA works with the concept of layers, so if you want to put something in front of other object you must create a new layer, cut the object, change the layer and paste it.

- Linking objects works ok, but only on the same layer.

- After the drawing is made you can’t copy it and paste it on an OpenOffice document.

SO, as a standalone product, it’s good, despite the issue of layers depicted above. It means you must think your drawings a bit ahead, and if you want to make changes it can get quite complicated.

Rainbow ikey 3000

One of the (cheap) crypto usb tokens available that work on Linux (and windows, of course) is out of production.

If you’re into Crypto, PKI, and so on, and need one, get it while they are available.

Kubuntu and Firefox download manager

One of the problems that I had with FireFox (2.0.0.8) on Kubuntu was that on the download manager window, neither “Open” or “Open Container folder” worked. I clicked and clicked and nothing happened. A lot of people complains about this issue on the Firefox bug tracker database, where it seems that this issue only happens with 32bit version on Firefox. Bummer for my computer to be 6 years old… (And it runs Linux!)

As usual Google helped me to find a solution, but with one caveat: The icons on the left side of the bookmarks are lost or changed to the same icon (In this case Konqueror).

What I did was:

1) On the address toolbar write the following: about:config

2) Right click on the page and choose new->string

3) Write the following value: network.protocol-handler.app.file

4) After pressing Ok, double click on the new entry and write: /usr/bin/konqueror

Now try it. It should work now.

FileManager Treeview

I’m not the only one missing this: http://dot.kde.org/1172721427/1172796957/

Tree view can make file-system navigation much faster than back-up-click-back-back…

X-Windows access on your Windows PC

Sometimes you need to run graphical Unix/Linux applications on your Windows client PC. Text access is easy, there are several ssh clients available, and windows has a telnet client. What about X-Windows?

The solution is XLiveCD: http://xlivecd.indiana.edu/

This is a CD that just makes your Windows PC into a X-Windows client (Correct terminology would be Server… ). With this you can just start a ssh session into your remote Unix/Linux box, and from there just run any graphical application that you need. The application will display along your other Windows applications.

By the way if you have Nero Image or something similar, you even don’t need to burn a CD…

Also as a bonus the CD has a complete CYGWin set of commands, and so you also get tail, grep, uniq…

In the ages of PATH

Why on hell in 2007 some applications can only process the Windows Path variable to the lengh of 128 characters?

And if the path they need is beyond that limit they fail miserably?

Check out the PATH variable when applications start to behave strangely after a reboot, when for example you just setup that brand new backup agent…

Cool utilities

Secure shell (for non commercial uses): http://www.ssh.com/support/downloads/secureshellwks/non-commercial.html

I use it to connect to my NSLU2. By clicking an icon on the tool bar it opens up a sftp  session in a window much like Windows Explorer with drag and drop support for file transfer.

Wireshark (etherreal): http://www.wireshark.org/ -> Cool network tracer tool that is multi platform. Trouble guessing what is going on that SOAP request? This is the tool. Not for the fainted of heart…

Linux (K)Ubuntu and OpenOffice Visio clone…

THAT’s what I’m missing…

A good application for network diagrams on Linux, something like the Detailed Network stencil on Visio. (Edit: I do mean the detailed network base diagram that has several stencils for drawing detailed networks).

Kivio is ok, for flowcharting, but the available (to be bought) stencils… humm, I think not.