Can I change the Active Directory password from LDAP (without an administrator account)

Question

Can I change the Active Directory password from LDAP (without an administrator account)

I will not (and will not) have an administrator account. I want to change my (user) password in Active Directory from java. How can i do this?

Using code from the Internet:

private void changePass() throws Exception { String oldpass = this.encodePassword("oldpass!"); String newpass = this.encodePassword("newpass!"); Attribute oldattr = new BasicAttribute("unicodePwd", oldpass); Attribute newattr = new BasicAttribute("unicodePwd", newpass); ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr); ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr); ModificationItem repitem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newattr); ModificationItem[] mods = new ModificationItem[2]; mods[0] = olditem; mods[1] = newitem; // ldapTemplate.modifyAttributes("cn=administrator,cn=Users", mods); ldapTemplate.modifyAttributes("cn=smith,cn=Users", new ModificationItem[] { repitem }); }

here is contextSource

 <bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource"> <property name="url" value="ldap://ldapserver:389"/> <property name="base" value="dc=company,dc=com"/> <property name="userDn" value=" smith@company "/> <property name="password" value="oldpass"/> </bean>

I got:

 LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of: 'CN=Users,DC=company,DC=com'

If I change userDn to "cn = smith", I got:

LdapErr: DSID-0C0903A9, Comment: Error AcceptSecurityContext

Perhaps my problem is that I do not understand how LDAP works? Is it possible (to change the user password using the user account) or not? And, if possible, can I verify that the account is locked / expires with the same privileges?

UPDATE / RESOLVE

Thank you so much for your help. It also helped me a lot.

for future search engines:

NO_OBJECT - means that the ACtive Directory cannot find the object (my cn = Users, cn = Smith) To find the fully qualified canonical path to the user directory, you can use the user attribute distinguished name "(in my worst case," cn = John \, Smith ", ou = Contractors, ou = User Accounts, OU = Accounts")

then I got:

WILL_NOT_PERFORM - it can mean different things. In my case, the object type was incorrect, but maybe other cases, as described below, are not SSL connections ( not ldaps: // ) and others.

then

INSUFF_ACCESS_RIGHTS - the user (not the administrator does not have the right to the REPLACE-password attribute) in order to change the password, he must enter the old password and new password, and then delete the old and new ADDs.

 Attribute oldattr = new BasicAttribute("unicodePwd", oldQuotedPassword.getBytes("UTF-16LE")); Attribute newattr = new BasicAttribute("unicodePwd", newQuotedPassword.getBytes("UTF-16LE")); ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr); ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr); ldapTemplate.modifyAttributes("cn=John\\, Smith,ou=Contractors,ou=User Accounts,ou=Accounts", new ModificationItem[] { olditem, newitem });

Problem 1005 (CONSTRAINT_ATT_TYPE) - if the old password is incorrect

By the way

javax.naming.PartialResultException: raw continuation links; the remaining name is '/' - when searching for a user / user globally (for example, in the authentication method) ldapTemplate.setIgnorePartialResultException ( True ); can fix it

+4

java spring-ldap active-directory ldap

xtern Mar 14 '12 at 10:15

source share

2 answers

ShaMan-H_Fel · Answer 1 · 2012-03-14T12:47:49+0000

Yes you can, but it’s a bit complicated.

First, change the password that you must connect through LDAPS, not LDAP. That is, with TLS or SSL (at least 128 bits). Here is an example of how this can be done using JNDI .

Secondly, you must pass the password as a UTF-16LE encoded byte array. But before you encode it, you must enclose it in double quotes. So here is an example:

 String pass = "\"" + "newpass" + "\""; byte[] password = pass.getBytes("UTF-16LE"); // You will need to handle UnsupportedEncodingException here

Ejp · Answer 2 · 2012-03-14T10:55:30+0000

If cn=smith,cn=Users not a real record DN, it should be.
You do not need everything to remove / add / replace material: just use REPLACE_ATTRIBUTE; if you are using an administrator account to change the password.
You need it if you update the password as yourself, i.e. are tied to the same account that you are updating. The reason is that you must provide the old password for deletion and the new one for insertion so that you can detect a failure on the old password. Alternatively, you can use the advanced password change operation, in which again you specify both the old and the new password.

Can I change the Active Directory password from LDAP (without an administrator account)

More articles: