stackoom
  简体   繁体   中英

Enforce Active Directory password history policy using ldaptive on password reset

 原文  2018-03-28 11:28:09       java/ active-directory/ ldap

Question

I'm using Java ldaptive library to communicate with Active Directory via LDAP protocol. My problem is as follows: I need to have password reset feature, honoring password history and complexity requirements, but ignoring minimum password age rule. I perform password reset using admin account: 

modifyRequest = new ModifyRequest(userLdapEntry.getDn(),
                new AttributeModification(
                        AttributeModificationType.REPLACE,
                        new UnicodePwdAttribute(password)));
        modifyRequest.setControls(new LdapPolicyHintsControl(getADPolicyHintsEnforceFlag(), false));

        new ModifyOperation(connection).execute(modifyRequest);

The control added is documented on Microsoft website as control enforcing password history requirements link

However, as suggested in this answer , it enforces also minimum password age rule, which is against the documentation.

Any idea how to make it work as described in documentation?

1 answers

solution1
 1 ACCPTED  2018-03-29 19:32:22

The documentation is wrong. You are not going to be able to make it work like that. The Minimum Password Age rule will be honored and you cannot override it through code.

Note that in Active Directory, unlike a typical LDAP server, it does not enforce password policy like you think it would. Password policy is managed by Group Policy and enforced in Windows, specifically by the Windows LSASS.exe process.

Since you configure Password policy via Group Policy. Those settings are written directly to the Security Hive on the Domain Controller. This is where LSASS reads them from. The only time those settings are overwritten is when you change the password directly from ADUC.

Other than AD tool, you would have to write a password filter .dll that runs within the LSASS process:

Custom Password Filters https://blogs.technet.microsoft.com/tristank/2005/07/18/custom-password-filters/

Password Filters https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx

This information was given to me by a Microsoft PSS Field Engineer when I brought this question up to him.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Active Directory Password reset without SSL Cannot connect with Active Directory to reset password Active Directory Password connection using JDBC(Java) How can I get Active Directory Password Policy Error in Java Client while changing password Compare old password against an active directory using LDAP Spring Password policy configuration using XML Password Reset Enforcing Directory Policies with UnboundID JAVA - Active directory and ldap password properties Retrieving password expiry warning from Active Directory Accessing Azure Active Directory with username and password
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM