重置密码时使用ldaptive强制执行Active Directory密码历史记录策略
[英]Enforce Active Directory password history policy using ldaptive on password reset
问题描述
I'm using Java ldaptive library to communicate with Active Directory via LDAP protocol. 
我正在使用Java ldaptive库通过LDAP协议与Active Directory通信。 My problem is as follows: I need to have password reset feature, honoring password history and complexity requirements, but ignoring minimum password age rule. 我的问题如下:我需要具有密码重置功能,遵守密码历史记录和复杂性要求,但忽略最低密码期限规则。 I perform password reset using admin account: 我使用管理员帐户执行密码重置:
modifyRequest = new ModifyRequest(userLdapEntry.getDn(),
new AttributeModification(
AttributeModificationType.REPLACE,
new UnicodePwdAttribute(password)));
modifyRequest.setControls(new LdapPolicyHintsControl(getADPolicyHintsEnforceFlag(), false));
new ModifyOperation(connection).execute(modifyRequest);
The control added is documented on Microsoft website as control enforcing password history requirements link 添加的控件记录在Microsoft网站上,作为执行密码历史记录要求的控件链接
However, as suggested in this answer , it enforces also minimum password age rule, which is against the documentation. 但是,正如该答案中所建议的那样,它还强制执行了最小密码期限规则,这与文档不符。
Any idea how to make it work as described in documentation? 知道如何按照文档中的说明进行操作吗?
1 个解决方案
解决方案1
1 已采纳 2018-03-29 19:32:22
The documentation is wrong. 该文档是错误的。 You are not going to be able to make it work like that. 您将无法使其那样工作。 The Minimum Password Age rule will be honored and you cannot override it through code. 将遵守“最小密码期限”规则,您不能通过代码覆盖它。
Note that in Active Directory, unlike a typical LDAP server, it does not enforce password policy like you think it would. 请注意,在Active Directory中,与典型的LDAP服务器不同,它不会像您认为的那样实施密码策略。 Password policy is managed by Group Policy and enforced in Windows, specifically by the Windows LSASS.exe process. 密码策略由组策略管理,并在Windows中(尤其是Windows LSASS.exe进程)实施。
Since you configure Password policy via Group Policy. 由于您是通过组策略配置密码策略的。 Those settings are written directly to the Security Hive on the Domain Controller. 这些设置将直接写入域控制器上的安全性配置单元。 This is where LSASS reads them from. 这是LSASS读取它们的地方。 The only time those settings are overwritten is when you change the password directly from ADUC. 仅当您直接从ADUC更改密码时,才会覆盖这些设置。
Other than AD tool, you would have to write a password filter .dll that runs within the LSASS process: 除了AD工具,您还必须编写一个在LSASS进程中运行的密码过滤器.dll:
Custom Password Filters https://blogs.technet.microsoft.com/tristank/2005/07/18/custom-password-filters/ 自定义密码筛选器https://blogs.technet.microsoft.com/tristank/2005/07/18/custom-password-filters/
Password Filters https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx 密码筛选器https://msdn.microsoft.com/zh-cn/library/windows/desktop/ms721882(v=vs.85).aspx
This information was given to me by a Microsoft PSS Field Engineer when I brought this question up to him. 当我向他提出这个问题时,此信息是由Microsoft PSS现场工程师提供给我的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.