AD中修改密码一定要通过SSL或TLS才可以进行修改,这是MS硬性规定的,这就造成了还要做很多其它方面的配置工作,很麻烦,不过想想也合理,传输密码不加密被截获了也就完了。
前期要做的工作基本就是安装CA,获取证书,绑定keystore等等,过几天会详细写一下这几步的操作,现在先贴出代码。
import java.io.UnsupportedEncodingException;
import java.util.Hashtable;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.DirContext;
import javax.naming.directory.ModificationItem;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.InitialLdapContext;
import javax.naming.ldap.LdapContext;
public class OpAD{
private LdapContext ctx = null;
private String adminName = "administrator@testad.com";
private String adminpassword = "password";
private String keystore = "C:/testca.keystore";
private String keyPassword = "changeit";
private String ldapURL = "ldaps://ldap.testad.com:636";
private String searchBase = "DC=testad,DC=com";
private String returnedAtts = { "distinguishedName" };
private boolean initial_Ldap() {
Hashtable env = new Hashtable();
System.setProperty("javax.net.ssl.trustStore", keystore);
System.setProperty("javax.net.ssl.trustStorePassword", keyPassword);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.SECURITY_AUTHENTICATION, "simple");
env.put(Context.SECURITY_PRINCIPAL, adminName);
env.put(Context.SECURITY_CREDENTIALS, adminpassword);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put(Context.PROVIDER_URL, ldapURL);
try {
System.out.println("Start InitialLdapContext");
ctx = new InitialLdapContext(env, null);
System.out.println("InitialLdapContext succeed");
} catch (NamingException e) {
System.out.println("Problem initial_Ldap NamingException: " + e);
return false;
}
return true;
}
private boolean close_Ldap() {
System.out.println("Close Ldap");
try {
ctx.close();|||
} catch (NamingException e) {
System.out.println("Problem close_Ldap NamingException: " + e);
return false;
}
return true;
}
private String search_distinguishedName(String username) {
String searchFilter = "(&(objectClass=user)(cn=" + username + "))";
try {
System.out.println("Start search " + username + "‘s distinguishedName");
SearchControls searchCtls = new SearchControls();
searchCtls.setSearchScope(SearchControls.SUBTREE_SCOPE);
searchCtls.setReturningAttributes(returnedAtts);
NamingEnumeration answer = ctx.search(searchBase, searchFilter,
searchCtls);
if (answer.hasMoreElements()) {
SearchResult sr = (SearchResult) answer.next();
Attributes attrs = sr.getAttributes();
if (attrs != null) {
NamingEnumeration ae = attrs.getAll();
Attribute attr = (Attribute) ae.next();
NamingEnumeration e = attr.getAll();
return (String) e.next();
}
}
} catch (NamingException e) {
System.out
.println("Problem search_distinguishedName NamingException: " + e);
return "error";
}
return "none";
}
private boolean mod_Pwd(String username, String password) {
ModificationItem mods = new ModificationItem[1];
String newQuotedPassword = "“"" + password + "“"";
try {
System.out.println("Start reset password");
byte newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("unicodePwd", newUnicodePassword));
ctx.modifyAttributes(username, mods);
System.out.println("Finish reset password" + username);
} catch (UnsupportedEncodingException e) {
System.out.println("Problem mod_Pwd UnsupportedEncodingException: " + e);
return false;
} catch (NamingException e) {
System.out.println("Problem mod_Pwd NamingException: " + e);
return false;
}
return true;
}
public static void main(String args) {
OpAD inst = new OpAD();
inst.initial_Ldap();
String username = inst.search_distinguishedName("testuser");
inst.mod_Pwd(username, "1234AbcD");
inst.close_Ldap();
}
}
修改AD的用户密码,有几点注意事项:1、AD域控上启用证书服务;2、客户端使用keytool导入域控的证书;3、域安全策略相关配置;4、修改密码使用remove/add操作;5、重置密码使用replace操作;6、密码必须是unicode编码;7、使用SSL端口连接AD
以下是调试过程中遇到的错误与处理方式:
1、sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
表示证书未导入。由于使用的是SUN Glassfish,trusted keystore在D:/Sun/SDK/domains/domain1/config/cacerts.jks,使用keytool -import -keystore store_file_name -file cert_file_name导入,并重启glassfish后,这个问题解决。默认keystore在JDK的jre/lib/security /cacerts里
2、javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT)
这个是由于contextSource.setBase后,所有的操作都是基于这个base操作的,后面的DN要做相应的修改
3、javax.naming.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A0F44, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
这个是最初代码使用的replace操作,这个在AD里对应的是密码重设(普通用户默认没有这个权限,管理员可以操作),另外remove操作时提供的旧密码错误也可能报这个异常
4、javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece
contextSource.setPassword设置了错误的密码
5、javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 00000056: AtrErr: DSID-03190F00, #1:
0: 00000056: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
这个最大的可能是不满足域安全策略:如密码复杂性、密码最短使用期限、强制密码历史。即长度、包含的字符、多久可以修改密码、是否可以使用历史密码等。
6、javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
这个错不记得什么原因导致了,估计也与安全策略有关
7、java.lang.NullPointerException at org.springframework.ldap.core.support.AbstractContextSource.getReadWriteContext(AbstractContextSource.java:138)
这个是创建contextSource后未调用contextSource.afterPropertiesSet()导致
下面两片文章可以参考:
http://support.microsoft.com/kb/269190/zh-cn
http://www.enhe.cn/renzhengkaoshi/AIX%20%E5%BC%80%E5%8F%91%E4%B8%8E%E5%BA%94%E7%94%A8/417.html