如何使用JAVA WebApplication更改初始ActiveDirectory密码?
[英]How to change initial ActiveDirectory password with JAVA WebApplication?
问题描述
Currently I have developed a Java WebApplication to offer the ability to change AD-controlled passwords. 
目前,我已经开发了Java WebApplication,以提供更改AD控制密码的功能。 The WebApplication uses LDAP access to do this. WebApplication使用LDAP访问来执行此操作。 The users need to authenticate and then their password is changed bei a "LdapContext.modifyAttributes()"-method. 用户需要进行身份验证,然后通过“ LdapContext.modifyAttributes()”方法更改其密码。
Now I experienced that this does not work for users with an initial password. 现在,我发现这对于具有初始密码的用户不起作用。 Initial password means the flag "pwdLastSet" is set to require password change by next logon. 初始密码意味着将标志“ pwdLastSet”设置为需要在下次登录时更改密码。
This is, how it works now. 这就是现在的工作方式。
prop.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
prop.put(Context.PROVIDER_URL, "ldaps://my.active.directory.com:636");
prop.put(Context.SECURITY_AUTHENTICATION, "simple");
prop.put(Context.SECURITY_PROTOCOL,"ADSecurityProtocol");
prop.put(Context.SECURITY_PRINCIPAL,this.userid);
prop.put(Context.SECURITY_CREDENTIALS,password);
ldapContext = new InitialLdapContext(prop, null);
<...snip...>
ModificationItem[] mods = new ModificationItem[2];
String oldQuotedPassword = "\"" + oldPassword + "\"";
byte[] oldUnicodePassword = oldQuotedPassword.getBytes("UTF-16LE");
String newQuotedPassword = "\"" + newPassword1 + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
new BasicAttribute("unicodePwd", oldUnicodePassword));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
new BasicAttribute("unicodePwd", newUnicodePassword));
ldapContext.modifyAttributes(userDN, mods);
I'm looking for an idea how to enable users to change their password especially when they are required to do so. 我正在寻找一种方法,使用户能够更改密码,特别是在需要更改密码时。 I found some hints that Kerberos might be required - but I almost don't know anything about Kerberos. 我发现可能需要Kerberos的提示-但我几乎对Kerberos一无所知。
Any help is appreciated. 任何帮助表示赞赏。
Ulrich 乌尔里希
2 个解决方案
解决方案1
0 2014-05-20 17:29:29
I didn't quite get the question. 我不太明白这个问题。 The code pasted doesn't work when pwdLastSet is set ? 设置pwdLastSet时粘贴的代码不起作用? or you looking for an idea to let the users know that they have to change their pwd ? 还是您正在寻找一个让用户知道必须更改其密码的想法?
If code isn't working, have you tried DirContext.REPLACE_ATTRIBUTE ? 如果代码不起作用,您是否尝试过DirContext.REPLACE_ATTRIBUTE?
If you needed a way to let users know, just catch the exception and show a error msg on the ui. 如果需要让用户知道的方法,只需捕获异常并在ui上显示错误msg。
解决方案2
0 2016-02-29 02:39:30
Try to use the Apache LDAP API, it seems easier than pure JNDI. 尝试使用Apache LDAP API,它似乎比纯JNDI容易。
I did a blog post about it, but using AWS Simple AD implementation. 我对此发表了一篇博客文章,但使用的是AWS Simple AD实现。 I may be useful: http://blog.techutils.space/2016/02/changing-samba4-aws-simple-ad-user.html 我可能会有用: http : //blog.techutils.space/2016/02/changing-samba4-aws-simple-ad-user.html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.