MLDAP ESM Module Bind Rejection Heuristics

When the MLDAP ESM Module is configured to authenticate users by trying to bind to the LDAP server with their credentials (configuration option mode=bind), the only information that the module gets from the server is success or failure. Applications are typically required to report more information to the user in the event of a failure, for example, invalid credentials, account is disabled, or password is expired and needs to be changed.

The MLDAP ESM Module can apply various heuristics to try to determine the most likely cause of bind failure, and set the ESF return codes, and if enabled, log tracing messages, accordingly. These heuristics involve checking for a number of optional LDAP user attributes which a server might use for additional information about the state of a user account.

This feature can be enabled using the following configuration setting in the Security Manager Configuration Information field:

bind failure analysis=yes

or the older equivalent:


When the feature and bind-based verification is enabled, the module will look for some or all of the following attributes in the user's LDAP record and examine their values to determine the most probable reason the user's bind was rejected:

For pwdLastSet and pwdChangedTime to be useful, a password expiration interval must be configured, so the module can determine whether the password is old enough to have expired. For Active Directory (and AD LDS), however, typically msDS-User-Account-Control-Computed will indicate an expired password, so this is not a concern; and if your server uses passwordExpirationTime, that is also sufficient to detect an expired password.

Note: Due to limitations of the ESF API, and the IBM mainframe SAF API on which it's based, the return codes do not distinguish some conditions. In particular, the password-expired condition and the password-must-be-changed condition are both reported as "password expired", and the account-disabled and account-locked (due to too many failed login attempts) condition are both reported as "userid revoked".

You can get more specific information about why a user bind failed by enabling bind tracing with this configuration setting:


Enabling the bind failure analysis feature will typically improve the user experience, therefore Micro Focus recommends using it for customers using LDAP security and binding to verify user credentials.