I don't (and will not) have administators account. I want to change myself (user) password in Active Directory from java. How can I do this?
Using code from web:
private void changePass() throws Exception {
String oldpass = this.encodePassword("oldpass!");
String newpass = this.encodePassword("newpass!");
Attribute oldattr = new BasicAttribute("unicodePwd", oldpass);
Attribute newattr = new BasicAttribute("unicodePwd", newpass);
ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
ModificationItem repitem = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, newattr);
ModificationItem[] mods = new ModificationItem[2];
mods[0] = olditem;
mods[1] = newitem;
// ldapTemplate.modifyAttributes("cn=administrator,cn=Users", mods);
ldapTemplate.modifyAttributes("cn=smith,cn=Users", new ModificationItem[] { repitem });
}
here is the contextSource
<bean id="contextSource" class="org.springframework.ldap.core.support.LdapContextSource">
<property name="url" value="ldap://ldapserver:389"/>
<property name="base" value="dc=company,dc=com"/>
<property name="userDn" value="smith@company"/>
<property name="password" value="oldpass"/>
</bean>
I got:
LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
'CN=Users,DC=company,DC=com'
if I change userDn to "cn=smith" I got:
LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error
Maybe my problem is that I do not understand how is LDAP working? Is it possible (change user password by using user-account) or not? And, if it is possible, can I check account locked / expires with same privileges?
UPDATE / RESOLVE
thank you very match for your help. That was very helpful too me.
for future searchers:
NO_OBJECT - means that ACtive Directory cannot find object (my cn=Users,cn=Smith) To find fully qualified canonical path to user catalogue you can use user attribute "distinguishedName" (in my, worstest case it is "cn=John\, Smith",ou=Contractors,ou=User Accounts,ou=Accounts")
then I got:
WILL_NOT_PERFORM - this can mean different type of things. In my case there was wrong object type, but, possible other cases, as described below - not SSL connection (not ldaps://), and others.
then:
INSUFF_ACCESS_RIGHTS - user (not administrator doesn't have right to REPLACE-password attribute), to change password he must enter old password and new password, and then REMOVE old and ADD new.
Attribute oldattr = new BasicAttribute("unicodePwd", oldQuotedPassword.getBytes("UTF-16LE"));
Attribute newattr = new BasicAttribute("unicodePwd", newQuotedPassword.getBytes("UTF-16LE"));
ModificationItem olditem = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, oldattr);
ModificationItem newitem = new ModificationItem(DirContext.ADD_ATTRIBUTE, newattr);
ldapTemplate.modifyAttributes("cn=John\\, Smith,ou=Contractors,ou=User Accounts,ou=Accounts", new ModificationItem[] { olditem, newitem });
problem 1005 (CONSTRAINT_ATT_TYPE) - if old password wrong
btw
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name '/' - when searching person/user global (for example, in authenticate-method) ldapTemplate.setIgnorePartialResultException(true); can fix it
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 仙女界的扛把子 的文章《Can I change myself Active Directory password from》','https://www.manongdao.com/article-691956.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}