Change AD user expired password in Java

2020-05-09 09:22发布

I'm using JNDI to change LDAP user's password. In most cases (when user's password isn't expired) this code works just fine:

public InitialLdapContext connect(String url, String securityPrincipal, String password) throws AuthenticationException, NamingException {
        System.setProperty("javax.net.ssl.trustStore", truststore);
        Properties env = new Properties();
        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.PROVIDER_URL, url);
        env.put(Context.SECURITY_PRINCIPAL, "EE\\" + securityPrincipal);
        env.put(Context.SECURITY_CREDENTIALS, password);
        env.put(Context.SECURITY_PROTOCOL, "ssl");
        env.put("java.naming.ldap.version", "3");
        env.put(Context.REFERRAL, "follow");
        return new InitialLdapContext(env,null);
    }

But when user with expired password tries to change it my app throws:

Exception: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1 ]
          com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
          com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
          com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
          com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
          com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
          com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
          com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
          com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
          com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)

So my question is: Is it possible to change LDAP expired passwords? If it's possible, then tell how.

Thanx for help!

标签: java ldap jndi
2条回答
迷人小祖宗
2楼-- · 2020-05-09 09:29

If you're using the password policy overlay you have to use the change-password extended request. It's not supported in the JDK but I've posted code for it in the Oracle Java JNDI forum.

时光不老,我们不散
3楼-- · 2020-05-09 09:51

The problem was resolved by creating Super User in Ad, which has rights to change every AD password. And when AD user password is expired, then the Super User changes his password.

登录 后发表回答