When authenticating against Active Directory using bind authentication (cleartrust.data.ldap.password.validate_with_connect :true) Access Manager returns a bad password response even if the account is locked or the password has expired.

sequence_number=333,2010-05-19 09:53:10:734 PDT,messageID=1002,user=user100,client_ip_address=192.168.10.129,client_port=2720,browser_ip_address=127.0.0.1,result_code=2,result_action=Authentication Failure,result_reason=Bad Password

To define extended result codes modify the cleartrust.data.ldap.errorMessages parameter in the ldap.conf file and create a definition for each result code you wish to map.  The following is an example of parameters you may wish to use for Active Directory.  See the definition of the parameter in the ldap.conf file for a full list of possible Access Manager result codes you may map to.  Note that you may wish to map multiple Active Directory returns codes to the same Access Manager result code. 

cleartrust.data.ldap.errorMessages= data 775 = ADMIN_LOCKOUT ; data 533 = INACTIVE_ACCOUNT ; data 701 = EXPIRED_ACCOUNT ; data 532 = PASSWORD_EXPIRED ; data 773 = PASSWORD_EXPIRED_FORCED ; data 773 = EXPIRED_PASSWORD_NEW_USER

In order to take action against these result codes you may wish to define custom error pages in your webagent.conf file to direct users to custom pages for these errors. 

cleartrust.agent.login_error_password_expired=
cleartrust.agent.login_error_password_expired_forced=
cleartrust.agent.login_error_password_expired_new_user=
cleartrust.agent.login_auth_inactive_account=
cleartrust.agent.login_auth_expired_account=
cleartrust.agent.login_auth_user_locked_out=

Warning. Exposing extended result codes allows potential attackers to gather additional information about user accounts that may be used to perpetrate penetration attacks.  You should only direct users to custom error pages where this is absolutely necessary as dictated by your business logic.  It is more secure to obfuscate the results of authentication failures.

Note that Access Manager does a simple substring comparison match for text defined in cleartrust.data.ldap.errorMessages parameters to determine what result code is matched.  When active directory returns a result it is typically in the format of a DSID return code with several parameters.  In order to simplify matters it is typically only necessary to match a unique portion of the returned error message.  For example Active Directory returns the following error message when a domain account is inactive:

80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 533, vece

The number after the word "data" (in this case 533) is a unique string representation of a hexadecimal number corresponding to the error code.  Instead of defining the entire error result it is sufficient to define just the a unique substring of the error message as in the example. 

Microsoft does not provide an exhaustive list of possible error codes, but the following site lists the more common ones.

http://www-01.ibm.com/support/docview.wss?uid=swg21290631

525 user not found 
52e invalid credentials 
530 not permitted to logon at this time
531 not permitted to logon at this workstation
532 password expired 
533 account disabled 
701 account expired 
773 user must reset password 
775 user account locked