How do you configure the OpenAM REST API (e.g., /openam/json/authenticate) to pass back a JSON payload where the ‘message’ is something more specific than “Authentication Failed”?
When we run the following command from OpenDJ, we get a specific message from the LDAP describing the error (e.g., “password has expired” or “password will expire in N days”, etc):
/opt/opendj/bin/ldapsearch --port 1389 --baseDN dc=example,dc=com -D "uid=pixuser,ou=people,dc=example,dc=com" -w password "(lastLoginTime:126.96.36.199.4.1.26027.1.4.6:=13w)" mail
# Your password has expired
SEARCH operation failed
Result Code: 19 (Constraint Violation)
Additional Information: uid=pixuser,ou=people,dc=example,dc=com must change their password before it will be allowed to request any other operations