Wednesday, May 4, 2016

How to catch the AD password expired/locked situation by WSO2IS

Solution: you have to write your own custom user store.

When the password expired or account locked from the AD level, AD returns an error codes [1] to the IS. That error code you can catch in the customer user store and implement your own logic to fulfilling your requirement.

So, create a new class extending org.wso2.carbon.user.core.ldap.ActiveDirectoryUserStoreManager [2], and it will let you to override the doAuthenticate() method which derived from ReadOnlyLDAPUserStoreManager [3]. Note that you need to implement bindAsUser() method, and catch the AuthenticationException which throws when the password expired or account locked from the AD level and based on that you can implement your own logic.

You can see the error codes thrown from AD to IS when enabling DEBUG logs in org.wso2.carbon.user.core component.
For this you need to navigate to [IS_HOME]/repository/conf directory and add the following entry to file and save it.

Then restart the server and try to login with password expired or account locked user. You can see the error codes in [IS_HOME]/repository/logs/wso2carbon.log file

Refer [4] which will help you on how to write a custom user store manager and deploying the same. After deployment and restarting the server verify whether your scenario works as expected.

Refer [5] the sample CustomUserStoreManager code base which will help you identifying the structure you need to implement your class. ( You can download this source and adhere to this structure when writing your own implementation)

No comments: