You must enable the required access privileges detailed in The verify password extended operation.

To verify a password using the verify-password extended operation, enable the extended operation and then send a client request with the required information.

The client request must be a JSON object containing the following required fields:

dn
The distinguished name (DN) of the user account whose password the server should verify.
password
The password to verify for that user.

The server response contains a result code that explains the outcome of the verify-password operation. The following table describes the result codes that the server can return:

Server response code Description

PROTOCOL_ERROR (2)

The extended request is malformed.

COMPARE_FALSE (5)

The provided password isn’t correct for the target user.

COMPARE_TRUE (6)

The provided password is correct for the target user.

CONFIDENTIALITY_REQUIRED (13)

The server is required to only permit the extended operation over a secure connection, or the server is configured to require secure authentication for the target user, but the client is using an insecure connection.

NO_SUCH_OBJECT (32)

The target user account does not exist.

INVALID_DN_SYNTAX (34)

The provided DN is malformed.

INAPPROPRIATE_AUTHENTICATION (48)

The target user account doesn’t have a password.

INSUFFICIENT_ACCESS_RIGHTS (50)

The client doesn’t have sufficient permission to use the extended operation.

OTHER (80)

The server encountered an internal error while attempting to verify the password.

  1. Enable the verify-password extended operation.
    $ bin/dsconfig create-extended-operation-handler \
      --handler-name "Verify Password" \
      --type verify-password \
      --set enabled:true
  2. Send a properly formed client request.
  3. Use the result code in the response to determine how the client responds to the user.