我可以从LDAP更改自己的Active Directory密码（没有管理帐户） [英] Can I change myself Active Directory password from LDAP (without administrative account)

问题描述

我不会（也不会）拥有管理员帐户。
我想从java更改Active Directory中的自己（用户）密码。
我该怎么做？

I don't (and will not) have administators account. I want to change myself (user) password in Active Directory from java. How can I do this?

使用网络代码：

private void changePass() throws Exception {
    String oldpass = this.encodePassword("oldpass!");
    String newpass = this.encodePassword("newpass!");
    Attribute oldattr = new BasicAttribute("unicodePwd", oldpass);
    Attribute newattr = new BasicAttribute("unicodePwd", newpass);
    ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
    ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
    ModificationItem repitem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newattr);
    ModificationItem[] mods = new ModificationItem[2];
    mods[0] = olditem;
    mods[1] = newitem;
    // ldapTemplate.modifyAttributes("cn=administrator,cn=Users", mods);
    ldapTemplate.modifyAttributes("cn=smith,cn=Users", new ModificationItem[] { repitem });
}

这里是contextSource

here is the contextSource

<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
    <property name="url" value="ldap://ldapserver:389"/>
    <property name="base" value="dc=company,dc=com"/>
    <property name="userDn" value="smith@company"/>
    <property name="password" value="oldpass"/>
</bean>

我得到了：

LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=company,DC=com'

如果我将userDn更改为cn = smith我得到了：

if I change userDn to "cn=smith" I got:

LdapErr：DSID-0C0903A9，评论：AcceptSecurityContext错误

LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error

也许是我的问题是我不明白LDAP是如何工作的？是否可以（使用用户帐户更改用户密码）？
并且，如果有可能，我可以检查具有相同权限的帐户锁定/过期吗？

Maybe my problem is that I do not understand how is LDAP working? Is it possible (change user password by using user-account) or not? And, if it is possible, can I check account locked / expires with same privileges?

更新/重新分配

非常感谢您的帮助。这对我来说也很有帮助。

thank you very match for your help. That was very helpful too me.

为未来的搜索者：

NO_OBJECT - 表示ACtive Directory无法找到对象（我的cn = Users，cn = Smith）
要查找用户目录的完全限定的规范路径，您可以使用用户属性 distinguishedName （在我的，worstest中）案例是 cn = John \，Smith，ou =承包商，ou =用户帐户，ou =帐户）

NO_OBJECT - means that ACtive Directory cannot find object (my cn=Users,cn=Smith) To find fully qualified canonical path to user catalogue you can use user attribute "distinguishedName" (in my, worstest case it is "cn=John\, Smith",ou=Contractors,ou=User Accounts,ou=Accounts")

然后我得到了：

WILL_NOT_PERFORM - 这可能意味着不同类型的东西。在我的情况下，有错误的对象类型，但是，可能的其他情况，如下所述 - 不是SSL连接（不是ldaps：// ）和其他。

WILL_NOT_PERFORM - this can mean different type of things. In my case there was wrong object type, but, possible other cases, as described below - not SSL connection (not ldaps://), and others.

然后：

INSUFF_ACCESS_RIGHTS - 用户（不是管理员无权使用REPLACE-password属性），要更改密码，必须输入旧密码和新密码，然后删除旧密码和ADD新的。

INSUFF_ACCESS_RIGHTS - user (not administrator doesn't have right to REPLACE-password attribute), to change password he must enter old password and new password, and then REMOVE old and ADD new.

Attribute oldattr = new BasicAttribute("unicodePwd", oldQuotedPassword.getBytes("UTF-16LE"));
Attribute newattr = new BasicAttribute("unicodePwd", newQuotedPassword.getBytes("UTF-16LE"));
ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
ldapTemplate.modifyAttributes("cn=John\\, Smith,ou=Contractors,ou=User Accounts,ou=Accounts", new ModificationItem[] { olditem, newitem });

问题1005（CONSTRAINT_ATT_TYPE） - 如果旧密码错误

problem 1005 (CONSTRAINT_ATT_TYPE) - if old password wrong

btw

javax.naming.PartialResultException：未处理的Continuation Reference（s）; 剩余名称'/' - 搜索person / user global时（例如，在authenticate-method中）
ldapTemplate.setIgnorePartialResultException（ true ）;可以解决它

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '/' - when searching person/user global (for example, in authenticate-method) ldapTemplate.setIgnorePartialResultException(true); can fix it

推荐答案

是的，你可以，但它有点棘手。

Yes you can, however it is somewhat tricky.

首先更改必须通过LDAPS而不是LDAP连接的密码。即使用TLS或SSL（至少128位）连接。以下是使用 JNDI 完成此操作的示例。

First to change the password you must connect via LDAPS not LDAP. That is with TLS or SSL (at least 128 bit) connection. Here is an example how this can be done with JNDI.

其次，您必须将密码作为UTF-16LE编码的字节数组传递。但在编码之前，你应该用双引号括起来。所以这是一个例子：

Second you must pass the password as UTF-16LE encoded byte array. But before you encode it you should enclose it in double quotes. So here is an example:

String pass = "\"" + "newpass" + "\"";
byte[] password = pass.getBytes("UTF-16LE");
// You will need to handle UnsupportedEncodingException here

这篇关于我可以从LDAP更改自己的Active Directory密码（没有管理帐户）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！