Java 我可以从 LDAP 更改自己的 Active Directory 密码吗(没有管理帐户)
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/9699912/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Can I change myself Active Directory password from LDAP (without administrative account)
提问by xtern
I don't (and will not) have administators account. I want to change myself (user) password in Active Directory from java. How can I do this?
我没有(也不会)拥有管理员帐户。我想从 Java 更改 Active Directory 中的自己(用户)密码。我怎样才能做到这一点?
Using code from web:
使用来自网络的代码:
private void changePass() throws Exception {
String oldpass = this.encodePassword("oldpass!");
String newpass = this.encodePassword("newpass!");
Attribute oldattr = new BasicAttribute("unicodePwd", oldpass);
Attribute newattr = new BasicAttribute("unicodePwd", newpass);
ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
ModificationItem repitem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newattr);
ModificationItem[] mods = new ModificationItem[2];
mods[0] = olditem;
mods[1] = newitem;
// ldapTemplate.modifyAttributes("cn=administrator,cn=Users", mods);
ldapTemplate.modifyAttributes("cn=smith,cn=Users", new ModificationItem[] { repitem });
}
here is the contextSource
这是 contextSource
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldapserver:389"/>
<property name="base" value="dc=company,dc=com"/>
<property name="userDn" value="smith@company"/>
<property name="password" value="oldpass"/>
</bean>
I got:
我有:
LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=company,DC=com'
if I change userDn to "cn=smith" I got:
如果我将 userDn 更改为“cn=smith”,我会得到:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error
LdapErr:DSID-0C0903A9,注释:AcceptSecurityContext 错误
Maybe my problem is that I do not understand how is LDAP working? Is it possible (change user password by using user-account) or not? And, if it is possible, can I check account locked / expires with same privileges?
也许我的问题是我不明白 LDAP 是如何工作的?是否可能(通过使用用户帐户更改用户密码)?而且,如果可能的话,我可以检查帐户锁定/到期时具有相同的权限吗?
UPDATE / RESOLVE
更新/解决
thank you very match for your help. That was very helpful too me.
非常感谢您的帮助。这对我也很有帮助。
for future searchers:
对于未来的搜索者:
NO_OBJECT- means that ACtive Directory cannot find object (my cn=Users,cn=Smith) To find fully qualified canonical path to user catalogue you can use user attribute "distinguishedName" (in my, worstest case it is "cn=John\, Smith",ou=Contractors,ou=User Accounts,ou=Accounts")
NO_OBJECT- 表示 Active Directory 找不到对象(我的 cn=Users,cn=Smith)要找到用户目录的完全限定规范路径,您可以使用用户属性“ distinguishedName”(在我的最坏情况下,它是“ cn=John\, Smith",ou=承包商,ou=用户帐户,ou=帐户")
then I got:
然后我得到:
WILL_NOT_PERFORM- this can mean different type of things. In my case there was wrong object type, but, possible other cases, as described below - not SSL connection (not ldaps://), and others.
WILL_NOT_PERFORM- 这可能意味着不同类型的事情。在我的情况下,对象类型错误,但是,可能存在其他情况,如下所述 - 不是 SSL 连接(不是 ldaps://)等。
then:
然后:
INSUFF_ACCESS_RIGHTS- user (not administrator doesn't have right to REPLACE-password attribute), to change password he must enter old password and new password, and then REMOVE old and ADD new.
INSUFF_ACCESS_RIGHTS- 用户(非管理员无权更换密码属性),更改密码必须输入旧密码和新密码,然后删除旧密码和添加新密码。
Attribute oldattr = new BasicAttribute("unicodePwd", oldQuotedPassword.getBytes("UTF-16LE"));
Attribute newattr = new BasicAttribute("unicodePwd", newQuotedPassword.getBytes("UTF-16LE"));
ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
ldapTemplate.modifyAttributes("cn=John\, Smith,ou=Contractors,ou=User Accounts,ou=Accounts", new ModificationItem[] { olditem, newitem });
problem 1005 (CONSTRAINT_ATT_TYPE)- if old password wrong
问题 1005 (CONSTRAINT_ATT_TYPE)- 如果旧密码错误
btw
顺便提一句
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '/'- when searching person/user global (for example, in authenticate-method) ldapTemplate.setIgnorePartialResultException(true); can fix it
javax.naming.PartialResultException:未处理的继续引用;剩余名称 '/'- 搜索个人/用户全局时(例如,在身份验证方法中) ldapTemplate.setIgnorePartialResultException( true); 可以修好
回答by user207421
If
cn=smith,cn=Usersisn't the real DN of the entry, it needs to be.You don't need all that remove/add/replace stuff: just use REPLACE_ATTRIBUTE; ifyou are using an administrative account to change the password.
You do need it if you are updating the password as yourself, i.e. while bound to the same account you are updating. The reason being that you have to supply the old password for deletion and the new one for insertion, so that a match failure on the old password can be detected. Alternatively you can use the extended password-modify operation, wherein again you supply both the old and the new password.
如果
cn=smith,cn=Users不是条目的真实 DN,则必须是。您不需要删除/添加/替换所有内容:只需使用 REPLACE_ATTRIBUTE;如果您使用管理帐户更改密码。
如果您自己更新密码,即绑定到您正在更新的同一帐户,则确实需要它。原因是您必须提供用于删除的旧密码和用于插入的新密码,以便可以检测到旧密码的匹配失败。或者,您可以使用扩展密码修改操作,其中再次提供旧密码和新密码。
回答by ShaMan-H_Fel
Yes you can, however it is somewhat tricky.
是的,你可以,但这有点棘手。
First to change the password you must connect via LDAPS not LDAP. That is with TLS or SSL (at least 128 bit) connection. Here is an example how this can be done with JNDI.
首先要更改密码,您必须通过 LDAPS 而不是 LDAP 连接。那是使用 TLS 或 SSL(至少 128 位)连接。以下是如何使用JNDI完成此操作的示例。
Second you must pass the password as UTF-16LE encoded byte array. But before you encode it you should enclose it in double quotes. So here is an example:
其次,您必须将密码作为 UTF-16LE 编码的字节数组传递。但在编码之前,您应该将其括在双引号中。所以这是一个例子:
String pass = "\"" + "newpass" + "\"";
byte[] password = pass.getBytes("UTF-16LE");
// You will need to handle UnsupportedEncodingException here
