stackoom
  简体   繁体   中英

Java JNDI - limitation when changing user's password in Microsoft LDAP - authentication exception

 原文  2014-06-02 11:42:39       java/ active-directory/ ldap/ jndi

Question

This is my first post here. I have tried to search in internet for my question but found no answers. I hope your expertise will help me. I noticed something annoying when working with Microsoft LDAP in particular. In LDAP when the user must reset their password at next logon there is a flag "User must reset password at next logon", lets call it flag X. When X is set for a user and if we try to change this user's pass we cannot. I want to do this from the name of the user not as another administrative user - so it becomes that user must change pass but if you try to change it you cannot.. Here is what I am doing: 

Hashtable env = new Hashtable();

env.put(Context.SECURITY_AUTHENTICATION, <auth_mech>);
env.put(Context.SECURITY_PRINCIPAL, <principal>);
env.put(Context.SECURITY_CREDENTIALS, <pass>);

DirContext ctx = new InitialDirContext(env);

When trying to create the new Initial Context: Authentication exception [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data 773, vece] data 773 means - user must change their pass at next logon. So when: - user must change their pass at next logon - user pass is expired - user account is disabled - user account is expired and so on we cannot change the user' password... This seems to me as a big limitation.

Also I want to ask if someone knows a specification that Micrisoft are following regarding this error codes. I know that error code 49 is general error code and is according to specification, but this data 773, data 532 are they general for all LDAP as I think they are specific to the vendor which is again very annoying.

PS I found similar issue here: Change AD user expired password in Java but it was resolved when using AD Super user that can change everyone's password, but I don't want that, I need the user to be able to change their own passwords as this is reflects in the LDAP Password History.

Thanks

2 answers

solution1
 0  2014-09-23 02:28:53

The user can't change his own password if he can't login. If his password is expired you have to reset it as an administrator and then log him in with that password and force him to change it immediately.

solution2
 0  2019-05-08 06:27:29

@Valentin Mezev: Use account Admin getLdapContext , use this context to change password of another account.

Example: 

LdapContext context = getLdapContext(url, dn_admin, pass_admin);
context.modifyAttributes(dn_change, modificationItems);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question LDAP user password authentication using JNDI Java LDAP password authentication LDAP “simple” User authentication (JNDI - Tomcat) not stable? Validate username password java ldap jndi Adding User on LDAP via JNDI (Java) -> NoPermissionError Authenticate on LDAP with current user in JNDI/Java User authentication in LDAP java Check user's password on LDAP from JAVA application verify LDAP user password in Java User authentication using LDAP and Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM