Skip to content

Show human-readable reason for LDAP bind failures#80

Open
omershaik0 wants to merge 1 commit intodirkjanm:masterfrom
omershaik0:improve-bind-error-messages
Open

Show human-readable reason for LDAP bind failures#80
omershaik0 wants to merge 1 commit intodirkjanm:masterfrom
omershaik0:improve-bind-error-messages

Conversation

@omershaik0
Copy link
Copy Markdown

@omershaik0 omershaik0 commented Feb 25, 2026

When an LDAP bind fails due to an AcceptSecurityContext error, Active Directory embeds a sub-status code in the error message (e.g., data 52e). Currently, only the raw ldap3 result dict
is printed, which isn't helpful mid-engagement when you need to quickly know whether you have the wrong password, a locked account, or an expired one.

This change parses the data XXXX hex sub-status code out of the bind error message and maps it to a human-readable reason before printing the existing raw result.

Before:

  [-] Could not bind with specified credentials
  [-] {'result': 49, 'description': 'invalidCredentials', 'message': '80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 775, v2580\x00', ...}

After:

  [-] Could not bind with specified credentials
  [-] Reason: Account locked (AD sub-status code: 775)
  [-] {'result': 49, 'description': 'invalidCredentials', 'message': '80090308: LdapErr: DSID-0C09044E, comment: AcceptSecurityContext error, data 775, v2580\x00', ...}

The raw result is still printed unchanged, so nothing is hidden. If the sub-status code isn't in the map or isn't present in the message, behavior is identical to before.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@omershaik0