Java与LDAP:在没有管理权限的情况下更改用户密码吗?
[英]Java with LDAP: change users password without administrative rights?
问题描述
Inside a Java Web Project, I'm trying to let users change their own LDAP password (wether it is because it expired or because they simply want to). 
在Java Web Project内,我试图让用户更改自己的LDAP密码(这是因为密码已过期,还是因为他们只是想这么做)。 These users do NOT have administrative rights. 这些用户没有管理权限。
I've been able to do a search to find one of the users, but I'm not able to change it's password. 我已经能够进行搜索以找到其中一个用户,但是我无法更改其密码。 Is there any way to let users change their own LDAP password without giving them Administrative rights? 有什么方法可以让用户在不授予他们管理权限的情况下更改自己的LDAP密码?
Here is the code I have right now: 这是我现在拥有的代码:
DirContext context;
context = getInitialContext(username, password, ldapPath, ldapDomain);
// Set up search constraints
SearchControls cons = new SearchControls();
String[] attrIDs = { "cn" };
cons.setReturningAttributes(attrIDs);
cons.setSearchScope(SearchControls.ONELEVEL_SCOPE);
String USERS_OU = ldapPath.split("/")[ldapPath.split("/").length-1];
NamingEnumeration<?> results = context.search(USERS_OU, "sAMAccountName=[name]", cons); //I'm searching the sAMA for testing purposes
while (results.hasMore()) {
SearchResult result = (SearchResult) results.next();
Attributes attrs = result.getAttributes();
String userCN = attrs.get("cn").get(0).toString();
// Here I'm able to retrieve a user's CN
ModificationItem[] mods = new ModificationItem[2];
Attribute mod0 = new BasicAttribute("userPassword", password);
Attribute mod1 = new BasicAttribute("userPassword", newPass);
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, mod0);
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, mod1);
context.modifyAttributes([CN + ldapPath], mods );
}
Thanks in advance! 提前致谢!
UPDATE: I've checked the question rkosegi marked, but I think the solution doesn't apply here, since the OP was trying to change to 'unicodePwd', not 'userPassword', and 'unicodePwd' requires the connection to be ldaps. 更新:我已经检查了rkosegi标记的问题,但是我认为该解决方案不适用于此处,因为OP试图将其更改为“ unicodePwd”而不是“ userPassword”,并且“ unicodePwd”要求连接为ldaps。
There's one thing I found out on my research, and it's that on .NET there's a special operation, the DirectoryEntry.Invoke method, being one of it's possible operations 'ChangePassword', which doesn't require admin permissions. 我在研究中发现了一件事,那就是在.NET上有一个特殊的操作DirectoryEntry.Invoke方法,它是可能的操作“ ChangePassword”之一,不需要管理员权限。 Maybe there's something like that on Java? 也许Java上有类似的东西?
2 个解决方案
解决方案1
0 2017-11-08 10:24:28
After an exhausting research, I've come to the conclusion that, based on the default configuration of LDAP servers, codebrane's answer is the right one. 经过详尽的研究,我得出的结论是,基于LDAP服务器的默认配置,codebrane的答案就是正确的答案。
I found out that there's a directive that prevents users from changing their own password, even if it expired. 我发现有一个指令可以防止用户更改自己的密码,即使该密码已过期也是如此。 ( This document explains how to determine if it is enabled) ( 本文档说明了如何确定是否已启用)
So the solution would be, either changing the directive to allow users to change their own password, or use privileged credentials to do such change. 因此解决方案是,要么更改指令以允许用户更改自己的密码,要么使用特权凭证进行更改。
Thanks! 谢谢!
解决方案2
-1 2017-11-06 13:48:31
You normally bind as a privileged user and use that user to change the password for the other user. 通常,您以特权用户身份绑定,并使用该用户更改其他用户的密码。 You can find the users without special permissions, most probably because it allows anonymous binding and searching. 您可以找到没有特殊权限的用户,这很可能是因为它允许匿名绑定和搜索。 Changing a user's password needs to be done using a privileged account. 更改用户密码需要使用特权帐户来完成。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.