是否可以通过 cfldap 更改密码? [英] Is it possible to change the password via cfldap?
问题描述
一段时间以来,我一直在尝试通过 cfldap 更改密码.通过 SSL 和端口 636 (cfssl_basic) 建立连接,并在登录中进行了测试.我尝试了以下版本的代码:
For some time I have been trying to change a password via cfldap. The connection is made over SSL and port 636 (cfssl_basic), tested within logins. I tried the following version of code:
<cfset password_new_retyp=charsetEncode(charsetDecode('"'&password_new_retyp&'"','UTF-16LE'),'UTF-8'))>
<!---encoded, decoded password --->
<cfldap action="modify"
dn="#session.dn_addres#" --- i query this on login
modifyType="replace"
attributes="unicodePwd=#password_new_retyp#"
server="xxxx.xxxx.xxx.xx" --- name of server thet i use on login
secure = "cfssl_basic"
port=636
username="#session.username#" ---username thet is used on login
password="#password_old#"> ---- pass before changing
错误是这样的:
尝试执行查询时发生错误:[LDAP:错误代码 49 - 80090308:LdapErr:DSID-0C0903C5,注释:AcceptSecurityContext 错误,数据 52e,v23f0].
An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ].
我也试过这种不编码密码的方法:
I also tried this method without encoding password:
<cfldap action="modify"
dn="#session.dn_addres#"
modifyType="replace"
attributes="password=#password_new_retyp#"
server="xxxx.xxxx.xxx.xx"
secure = "cfssl_basic"
port=636
username="#session.username#"
password="#password_old#" >
和错误是一样的:
尝试执行查询时发生错误:[LDAP:错误代码 49 - 80090308:LdapErr:DSID-0C0903C5,注释:AcceptSecurityContext 错误,数据 52e,v23f0].一个或多个必需属性可能缺失或不正确,或者您无权在服务器上执行此操作.
An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ]. One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.
有什么想法吗?
推荐答案
这是一条漫长而艰难的道路,但我做到了.我希望这对尝试更改密码和执行 LDAP 密码策略的其他人有所帮助.
It was a long and hard road but I got there. I hope this helps anyone else trying to change passwords and enforce LDAP password policy.
来源:基于 Edward Smith 在 存档的 CFTalk 中的代码线程
<cftry>
<cfscript>
// You are going to use the user's credentials to login to LDAP
// Assuming your LDAP is set up to do so
// Set up varibles
newPassword = '"#newPassword#"';
oldPassword = '"#currentPassword#"';
// You would probably pass in a variable here, I typed it out so you would ss the format its expecting
distinguishedName = "CN=theUser,OU=someOU,DC=DDDD,DC=CCC,DC=AAA,DC=ZZZ";
newUnicodePassword = newPassword.getBytes("UnicodeLittleUnmarked");
oldUnicodePassword = oldPassword.getBytes("UnicodeLittleUnmarked");
ldapsURL = "ldap://#ldapServer#:#ldapPort#";
// Create a Java Hashtable
javaEnv = CreateObject("java", "java.util.Hashtable").Init();
// Put stuff in the Hashtable
javaEnv.put("java.naming.provider.url", ldapsURL);
// The user's Full DN and Password
javaEnv.put("java.naming.security.principal", "#distinguishedName#");
javaEnv.put("java.naming.security.credentials", "#currentPassword#");
javaEnv.put("java.naming.security.authentication", "simple");
javaEnv.put("java.naming.security.protocol", "ssl");
javaEnv.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
// Create a Java InitialDirContext
javaCtx = CreateObject("java", "javax.naming.directory.InitialDirContext").Init(javaEnv);
// Create two Java BasicAttributes
oldBA = CreateObject("java", "javax.naming.directory.BasicAttribute").Init("unicodePwd", oldUnicodePassword);
newBA = CreateObject("java", "javax.naming.directory.BasicAttribute").Init("unicodePwd", newUnicodePassword);
/***********************************************
* Stick the attributes into an Java Array and tell it what to do with them
* Guess what? A CF Array = a Java Array
* 1 = DirContext.ADD_ATTRIBUTE
* 2 = DirContext.REPLACE_ATTRIBUTE
* 3 = DirContext.REMOVE_ATTRIBUTE
* This is the big trick
* If you login above as an admin then you only need to do a 2 Replace but will not run LDAP passoword policy (lenght, complexity, history... etc.)
* It will let you change password to anything
* If you want to check the LDAP password policy then you need to create the array and first Remove (3) then Add (1)
* Error Code 19 means something in the LDAP password policy was violated
* I haven't figured out how to read what the error is (like "password length too short" or "you have used this password in the past")
* Error Code 49 means invalid username/password
************************************************/
mods = [
createObject( "java", "javax.naming.directory.ModificationItem").init(3, oldBA),
createObject( "java", "javax.naming.directory.ModificationItem").init(1, newBA)
];
// Run it
javaCtx.modifyAttributes(distinguishedName,mods);
javaCtx.close();
</cfscript>
// Yeah! I could have scripted the cfcatch but this was easier.
<cfcatch>
<cfif find('error code 19',cfcatch.message)>
<!--- I am using cfwheels so this just displays a nice error message on the next page --->
<cfset flashInsert(error="New password does not meet requirements defined in the password rules.")>
<cfelseif isDefined('cfcatch.RootCause.cause.Explanation') and find('error code 49', cfcatch.RootCause.cause.Explanation)>
<!--- I am using cfwheels so this just displays a nice error message on the next page --->
<cfset flashInsert(error="Current Password IS incorrect.")>
<cfelse>
<!--- This just pukes the error up hard and uncaught --->
<cfrethrow>
</cfif>
<cfset hasError = true>
</cfcatch>
</cftry>
这篇关于是否可以通过 cfldap 更改密码?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
