The LDAP Username Password Credential Validator (PCV) verifies credentials using an organization's LDAP datastore.
When an authentication error occurs, PingFederate automatically parses the messages returned by PingDirectory, Microsoft Active Directory (AD), Oracle Unified Director (OUD), or Oracle Directory Server (ODS) and categorize them with the following error conditions:
- Account disabled
- Account expired
- Account locked
- Attribute value invalid
- Attribute conflict
- Invalid credentials
- Invalid telephone number
- Not permitted to logon at this time
- Not permitted to logon at this workstation
- Password expired
- Password policy violated
- Please try again later
- User already exists
- User must reset password
- User not found
As needed, and when validating against a directory server other than PingDirectory, AD, OUD, or ODS, administrators can define custom message categorization by mapping specific error messages (with wildcard support) to the desired error conditions on the Instance Configuration screen.
The error messages are returned to the HTML Form Adapter instances and the OAuth clients using the Resource Owner Password Credential grant type. The HTML Form Adapter is designed to show the error message it receives from the LDAP Username PCV. OAuth-client developers may create custom experiences based on the error responses, which contain the error messages. The HTML Form Adapter also uses the relevant error conditions to determine the LDAP password-change scenarios and to present the relevant messages to the end users.
These customizable messages are stored in the PingFederate message file, pingfederate-messages.properties, located in the <pf_install>/pingfederate/server/default/conf/language-packs directory.
As needed, you may localize these messages by using the PingFederate localization framework for an international audience (see Localizing messages for end users).
On the Instance Configuration screen, configure per-instance settings that suit your use cases.