Specific AD authentication module
We could have a specific AD authentication module, which inherits from AuthLDAP, and manage specifities like authentication errors. Gaultier HUBERT gave me some code to handle this:
if($self->ldap->userBind( $self->{dn}, password => $self->{password} ))
{
print STDERR "LDAP DEBUG auth failed";
print STDERR "LLNG LDAP Debug : ";
print STDERR $self->{entry}->get_value('sAMAccountName');
print STDERR " => userAccountControl ";
print STDERR $self->{entry}->get_value('userAccountControl');
print STDERR " ( ";
print STDERR $self->{entry}->get_value('userAccountControl')&2;
print STDERR " , ";
print STDERR $self->{entry}->get_value('userAccountControl')&8388608;
print STDERR " ) lockoutTime ";
print STDERR $self->{entry}->get_value('lockoutTime');
print STDERR " ) msDS-User-Account-Control-Computed ";
print STDERR $self->{entry}->get_value('msDS-User-Account-Control-Computed');
print STDERR "\n";
if (($self->{entry}->get_value('userAccountControl')&2) == 2) {
return PE_PP_GRACE;
}
if (($self->{entry}->get_value('userAccountControl')&16) == 16) {
return PE_PP_ACCOUNT_LOCKED;
}
if (($self->{entry}->get_value('userAccountControl')&8388608) == 8388608 || $self->{entry}->get_value('pwdLastSet') == 0) {
return PE_PP_PASSWORD_EXPIRED;
}
return PE_PASSWORD_MISMATCH;
} else {
return PE_OK;
}