我可以从 LDAP 更改自己的 Active Directory 密码吗(没有管理帐户) [英] Can I change myself Active Directory password from LDAP (without administrative account)

问题描述

我没有(也不会)拥有管理员帐户.我想从 java 更改 Active Directory 中的自己(用户)密码.我该怎么做?

I don't (and will not) have administators account. I want to change myself (user) password in Active Directory from java. How can I do this?

使用来自网络的代码:

private void changePass() throws Exception {
    String oldpass = this.encodePassword("oldpass!");
    String newpass = this.encodePassword("newpass!");
    Attribute oldattr = new BasicAttribute("unicodePwd", oldpass);
    Attribute newattr = new BasicAttribute("unicodePwd", newpass);
    ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
    ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
    ModificationItem repitem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newattr);
    ModificationItem[] mods = new ModificationItem[2];
    mods[0] = olditem;
    mods[1] = newitem;
    // ldapTemplate.modifyAttributes("cn=administrator,cn=Users", mods);
    ldapTemplate.modifyAttributes("cn=smith,cn=Users", new ModificationItem[] { repitem });
}

这里是上下文来源

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
    <property name="url" value="ldap://ldapserver:389"/>
    <property name="base" value="dc=company,dc=com"/>
    <property name="userDn" value="smith@company"/>
    <property name="password" value="oldpass"/>
</bean>

我明白了:

LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=company,DC=com'

如果我将 userDn 更改为cn=smith"，我得到:

if I change userDn to "cn=smith" I got:

LdapErr:DSID-0C0903A9，注释:AcceptSecurityContext 错误

LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error

也许我的问题是我不明白 LDAP 是如何工作的?是否可以(使用用户帐户更改用户密码)?而且，如果可能的话，我可以使用相同的权限检查帐户锁定/过期吗?

Maybe my problem is that I do not understand how is LDAP working? Is it possible (change user password by using user-account) or not? And, if it is possible, can I check account locked / expires with same privileges?

更新/解决

非常感谢您的帮助.这对我也很有帮助.

thank you very match for your help. That was very helpful too me.

对于未来的搜索者:

NO_OBJECT - 表示 Active Directory 找不到对象(my cn=Users,cn=Smith)要找到用户目录的完全限定规范路径，您可以使用用户属性distinguishedName"(在我的最坏情况下，它是cn=John, Smith",ou=Contractors,ou=用户帐户，ou=Accounts")

NO_OBJECT - means that ACtive Directory cannot find object (my cn=Users,cn=Smith) To find fully qualified canonical path to user catalogue you can use user attribute "distinguishedName" (in my, worstest case it is "cn=John, Smith",ou=Contractors,ou=User Accounts,ou=Accounts")

然后我得到了:

WILL_NOT_PERFORM - 这可能意味着不同类型的事情.在我的情况下，对象类型有误，但可能还有其他情况，如下所述 - 不是 SSL 连接 (not ldaps://) 等等.

WILL_NOT_PERFORM - this can mean different type of things. In my case there was wrong object type, but, possible other cases, as described below - not SSL connection (not ldaps://), and others.

然后:

INSUFF_ACCESS_RIGHTS - 用户(不是管理员没有权限替换密码属性)，要更改密码，他必须输入旧密码和新密码，然后删除旧密码并添加新密码.

INSUFF_ACCESS_RIGHTS - user (not administrator doesn't have right to REPLACE-password attribute), to change password he must enter old password and new password, and then REMOVE old and ADD new.

Attribute oldattr = new BasicAttribute("unicodePwd", oldQuotedPassword.getBytes("UTF-16LE"));
Attribute newattr = new BasicAttribute("unicodePwd", newQuotedPassword.getBytes("UTF-16LE"));
ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
ldapTemplate.modifyAttributes("cn=John\, Smith,ou=Contractors,ou=User Accounts,ou=Accounts", new ModificationItem[] { olditem, newitem });

问题 1005 (CONSTRAINT_ATT_TYPE) - 如果旧密码错误

顺便说一句

javax.naming.PartialResultException:未处理的继续引用；remaining name '/' - 在全局搜索人员/用户时(例如，在身份验证方法中)ldapTemplate.setIgnorePartialResultException(true);可以解决的

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '/' - when searching person/user global (for example, in authenticate-method) ldapTemplate.setIgnorePartialResultException(true); can fix it

推荐答案

可以，但是有点棘手.

首先要更改密码，您必须通过 LDAPS 而不是 LDAP 进行连接.那就是使用 TLS 或 SSL(至少 128 位)连接.这是一个如何使用 JNDI 完成此操作的示例.

First to change the password you must connect via LDAPS not LDAP. That is with TLS or SSL (at least 128 bit) connection. Here is an example how this can be done with JNDI.

其次，您必须将密码作为 UTF-16LE 编码的字节数组传递.但在编码之前，你应该用双引号将它括起来.所以这里是一个例子:

Second you must pass the password as UTF-16LE encoded byte array. But before you encode it you should enclose it in double quotes. So here is an example:

String pass = """ + "newpass" + """;
byte[] password = pass.getBytes("UTF-16LE");
// You will need to handle UnsupportedEncodingException here

这篇关于我可以从 LDAP 更改自己的 Active Directory 密码吗(没有管理帐户)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！