stackoom
  简体   繁体   中英

Can I change myself Active Directory password from LDAP (without administrative account)

 原文  2012-03-14 10:15:41       java/ active-directory/ ldap/ spring-ldap

Question

I don't (and will not) have administators account. I want to change myself (user) password in Active Directory from java. How can I do this?

Using code from web: 

private void changePass() throws Exception {
    String oldpass = this.encodePassword("oldpass!");
    String newpass = this.encodePassword("newpass!");
    Attribute oldattr = new BasicAttribute("unicodePwd", oldpass);
    Attribute newattr = new BasicAttribute("unicodePwd", newpass);
    ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
    ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
    ModificationItem repitem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newattr);
    ModificationItem[] mods = new ModificationItem[2];
    mods[0] = olditem;
    mods[1] = newitem;
    // ldapTemplate.modifyAttributes("cn=administrator,cn=Users", mods);
    ldapTemplate.modifyAttributes("cn=smith,cn=Users", new ModificationItem[] { repitem });
}

here is the contextSource 

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
    <property name="url" value="ldap://ldapserver:389"/>
    <property name="base" value="dc=company,dc=com"/>
    <property name="userDn" value="smith@company"/>
    <property name="password" value="oldpass"/>
</bean>

I got: 

LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=company,DC=com'

if I change userDn to "cn=smith" I got:

LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error

Maybe my problem is that I do not understand how is LDAP working? Is it possible (change user password by using user-account) or not? And, if it is possible, can I check account locked / expires with same privileges?

UPDATE / RESOLVE

thank you very match for your help. That was very helpful too me.

for future searchers:

NO_OBJECT - means that ACtive Directory cannot find object (my cn=Users,cn=Smith) To find fully qualified canonical path to user catalogue you can use user attribute " distinguishedName " (in my, worstest case it is " cn=John\\, Smith",ou=Contractors,ou=User Accounts,ou=Accounts" )

then I got:

WILL_NOT_PERFORM - this can mean different type of things. In my case there was wrong object type, but, possible other cases, as described below - not SSL connection ( not ldaps:// ), and others.

then:

INSUFF_ACCESS_RIGHTS - user (not administrator doesn't have right to REPLACE-password attribute), to change password he must enter old password and new password, and then REMOVE old and ADD new. 

Attribute oldattr = new BasicAttribute("unicodePwd", oldQuotedPassword.getBytes("UTF-16LE"));
Attribute newattr = new BasicAttribute("unicodePwd", newQuotedPassword.getBytes("UTF-16LE"));
ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
ldapTemplate.modifyAttributes("cn=John\\, Smith,ou=Contractors,ou=User Accounts,ou=Accounts", new ModificationItem[] { olditem, newitem });

problem 1005 (CONSTRAINT_ATT_TYPE) - if old password wrong

btw

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '/' - when searching person/user global (for example, in authenticate-method) ldapTemplate.setIgnorePartialResultException( true ); can fix it

2 answers

solution1
 4  2012-03-14 12:47:49

Yes you can, however it is somewhat tricky.

First to change the password you must connect via LDAPS not LDAP. That is with TLS or SSL (at least 128 bit) connection. Here is an example how this can be done with JNDI .

Second you must pass the password as UTF-16LE encoded byte array. But before you encode it you should enclose it in double quotes. So here is an example: 

String pass = "\"" + "newpass" + "\"";
byte[] password = pass.getBytes("UTF-16LE");
// You will need to handle UnsupportedEncodingException here

solution2
 1  2012-03-14 10:55:30

  1. If cn=smith,cn=Users isn't the real DN of the entry, it needs to be.

  2. You don't need all that remove/add/replace stuff: just use REPLACE_ATTRIBUTE; if you are using an administrative account to change the password.

    You do need it if you are updating the password as yourself, ie while bound to the same account you are updating. The reason being that you have to supply the old password for deletion and the new one for insertion, so that a match failure on the old password can be detected. Alternatively you can use the extended password-modify operation, wherein again you supply both the old and the new password.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Java with LDAP: change users password without administrative rights? Can I validate a user's password in LDAP/Active Directory without having to log in as this user? Change Active Directory Password Via Spring LDAP Connect to the LDAP Active Directory in Java without username and password Adding a user with a password in Active Directory LDAP JAVA - Active directory and ldap password properties Authenticating from Java (Linux) to Active Directory using LDAP WITHOUT servername Force password change on next login with Active Directory using Apache LDAP API How can I call Active Directory using Windows Authentication without prompting for username/password? Compare old password against an active directory using LDAP Spring
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM