当“用户必须在下次登录时更改密码"时，LDAP 验证失败.有什么解决办法吗? [英] LDAP validation fails when "User must change password on next log on". Any solution?

问题描述

当设置了用户下次登录时必须更改密码"时，我遇到了用户验证问题.

I'm having trouble with a user validation when the "User must change password on next log on" is set.

这是我验证用户的方式:

Here's how I validate the user:

Boolean ValidateUser(String userName, String password)
{
    try
    {
        var userOk = new DirectoryEntry("LDAP://<my LDAP server>", 
                                        userName, 
                                        password, 
                                        AuthenticationTypes.Secure 
                                      | AuthenticationTypes.ServerBind);
        return true;
    }
    catch (COMException ex)
    {
        if (ex.ErrorCode == -2147023570) // 0x8007052E -- Wrong user or password
            return false;
        else
            throw;
    }
}

当设置必须更改密码"时，COMException 会按预期捕获，但是，ErrorCode 与密码错误时相同.

When the "must change password" is set the COMException is catched as expected, however, the ErrorCode is the same as if the password was wrong.

有谁知道如何解决这个问题?

Does anyone know how to fix this?

我需要一个返回码来表明密码正确并且用户必须更改密码.

I need a return code that tells that the password is correct AND that the user must change the password.

我不想在 C# 中实现 Kerberos，只是为了在用户必须更改密码时检查该死的标志.

I don't want to implement Kerberos in C# just to check for a damn flag when the user must change the password.

推荐答案

在网上找了很久，一些经验性的错误信息和一些通过 Win32API 的探索，我想出了一个解决方案，到目前为止有效.

After a long search on the Internet, some empirical work with error messages and some spelunking through Win32API, I've came up with a solution that, so far works.

Boolean ValidateUser(String userName, String password)
{
  try
  {
    var user = new DirectoryEntry("LDAP://<my LDAP server>", 
                    userName, 
                    password);
    var obj = user.NativeObject;
    return true;
  }
  catch (DirectoryServicesCOMException ex)
  {
    /*
     * The string " 773," was discovered empirically and it is related to the
     * ERROR_PASSWORD_MUST_CHANGE = 0x773 that is returned by the LogonUser API.
     * 
     * However this error code is not in any value field of the 
     * error message, therefore we need to check for the existence of 
     * the string in the error message.
     */
     if (ex.ExtendedErrorMessage.Contains(" 773,"))
        throw new UserMustChangePasswordException();

     return false;
  }
  catch
  {
     throw;
  }
}

这篇关于当“用户必须在下次登录时更改密码"时，LDAP 验证失败.有什么解决办法吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！