I am not able to authenticate when user passes sAMAccountName and password.
If I do follwoing:
env.put(Context.SECURITY_PRINCIPAL, "CN="+username+",OU=Service Accounts,OU=TECH,DC=wawalab2,DC=ins");
env.put(Context.SECURITY_CREDENTIALS, password);
it throws exception:
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece
Note: I can use Spring LDAP framework too.
First off, the 525 error is bad DN. You can see a list of the LDAP errors AD returns at this link: AD LDAP Error codes
So you have a bad DN. What you want to do is search for samAccountName=username, get the DN from the returned value, and bind with that proper DN.
Related
I can create user using Boomi without any SSL(means using port389) and password(for new user to login) but I want to change user's phone number, and I got this error:
javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00000057: LdapErr: DSID-0C042612, comment: Error in attribute conversion operation, data 0, v4563?]; remaining name ''???at java.naming/com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3332)???at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3205)???at java.naming/com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2996)???at java.naming/com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1504)???at java.naming/com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:277)???at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:192)???at java.naming/com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:181)???at java.naming/javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167)???at com.boomi.connector.LDAP.LDAPConnection.updateObject(LDAPConnection.java:190)???at com.boomi.connector.LDAP.LDAPUpdateOperation.executeUpdate(LDAPUpdateOperation.java:227)???at com.boomi.connector.util.BaseUpdateOperation.execute(BaseUpdateOperation.java:30)???at com.boomi.connector.generic.GenericConnectorAction.invoke(GenericConnectorAction.java:189)???at com.boomi.connector.generic.GenericConnectorAction.invoke(GenericConnectorAction.java:172)???at com.boomi.connector.base.BaseConnectorAction.invokeBase(BaseConnectorAction.java:368)???at com.boomi.connector.base.BaseConnectorAction.invokeWithReadStore(BaseConnectorAction.java:304)???at com.boomi.connector.base.BaseConnectorAction.invoke(BaseConnectorAction.java:276)???at jdk.internal.reflect.GeneratedMethodAccessor29.invoke(Unknown Source)???
and I googled this error means:
Indicates that the LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:
1. The add entry request violates the server's structure rules
2. The modify attribute request specifies attributes that users cannot modify -> I just want to change phone number.
3. Password restrictions prevent the action
4. Connection restrictions prevent the action. -> I think I can create user, so the connection is fine!
If LDAP error Code 53 means I need to do everything with "SSL", why I can create a user? How can I sort this problem out?
It's possible the user actually hasn't been properly provisioned. Maybe it's been created, but the account is not enabled because the password is invalid. Run an LDAP client and try and logon as the new user with the credentials that you supplied. Does it work?
Two suggestions:
Please use LDAPS if you're creating users/setting passwords, or basically anything in AD LDAP. There's no excuse not to these days, and Microsoft is in the process of deprecating plain LDAP from non-Windows clients, so you might as well do it now. All you need is to install/trust the issuing CA certificate chain (root and intermediate certs) for whatever CA is signing the DC's LDAPS certificate. You do not need to install any client LDAP cert.
Check the password policy of the target domain and ensure the passwords you are trying to set meet the requirements in terms of complexity, length and so on.
I'm trying to extract a reason why a certain password is denied, using UnboundID LDAPSDK and connecting to Red Hat Directory Server.
However, after performing the following request:
PasswordModifyExtendedRequest passwordModifyExtendedRequest = new PasswordModifyExtendedRequest(userDN, currPassword, newPassword, new Control[]{new Control("1.3.6.1.4.1.42.2.27.8.5.1")});
passwordModifyExtendedRequest.setResponseTimeoutMillis(1000);
LDAPConnection ldapConnection = ldapManager.getLdapConnection();
PasswordModifyExtendedResult extendedResult = (PasswordModifyExtendedResult) ldapConnection.processExtendedOperation(passwordModifyExtendedRequest);
System.out.println(extendedResult);
I get this as a response (which is not descriptive enough):
PasswordModifyExtendedResult(resultCode=19 (constraint violation), messageID=2, diagnosticMessage='Failed to update password', responseControls={PasswordPolicyResponseControl(errorType='insufficient password quality', isCritical=false)})
However, when I change the password via Apache Directory Studio, it provides perfectly fine error message:
[LDAP: error code 19 - invalid password syntax - password must be at least 8 characters long]
Just for example, it returns the following when used on ApacheDS (which is fine as well):
[LDAP: error code 19 - CONSTRAINT_VIOLATION: failed for MessageType : MODIFY_REQUEST Message ID : 15 Modify Request Object : 'cn=josef,ou=users,o=test' Modification[0] Operation : replace Modification userPassword: 0x70 0x65 0x70 0x61 org.apache.directory.api.ldap.model.message.ModifyRequestImpl#196d9db6: Password should have a minimum of 5 characters]
The question is, is there a way to get the information that Apache Directory Studio manages to get? I've tried searching through their codebase, but was unable to find it.
In other words, I need to get the "password must be at least 8 characters long" in the response somehow.
Found a solution, using a regular ModifyRequest as follows:
// ...
import com.unboundid.util.Base64;
// ...
Modification passwordReplacementModification = new Modification(
ModificationType.REPLACE, "userPassword",
newPassword.getBytes());
ModifyRequest modifyRequest = new ModifyRequest(
user.getDn(), passwordReplacementModification);
LDAPResult modifyResult = ldapManager.getLdapConnectionAsAdmin().modify(modifyRequest);
This results in the following exception:
LDAPException(resultCode=19 (constraint violation), errorMessage='invalid password syntax - password must contain at least 1 uppercase characters', diagnosticMessage='invalid password syntax - password must contain at least 1 uppercase characters', ldapSDKVersion=4.0.1, revision='26090')
This is my first post here. I have tried to search in internet for my question but found no answers. I hope your expertise will help me.
I noticed something annoying when working with Microsoft LDAP in particular. In LDAP when the user must reset their password at next logon there is a flag "User must reset password at next logon", lets call it flag X. When X is set for a user and if we try to change this user's pass we cannot. I want to do this from the name of the user not as another administrative user - so it becomes that user must change pass but if you try to change it you cannot..
Here is what I am doing:
Hashtable env = new Hashtable();
env.put(Context.SECURITY_AUTHENTICATION, <auth_mech>);
env.put(Context.SECURITY_PRINCIPAL, <principal>);
env.put(Context.SECURITY_CREDENTIALS, <pass>);
DirContext ctx = new InitialDirContext(env);
When trying to create the new Initial Context:
Authentication exception [LDAP: error code 49 - 80090308: LdapErr: DSID-0Cxxxxxx, comment: AcceptSecurityContext error, data 773, vece]
data 773 means - user must change their pass at next logon. So when:
- user must change their pass at next logon
- user pass is expired
- user account is disabled
- user account is expired
and so on we cannot change the user' password... This seems to me as a big limitation.
Also I want to ask if someone knows a specification that Micrisoft are following regarding this error codes. I know that error code 49 is general error code and is according to specification, but this data 773, data 532 are they general for all LDAP as I think they are specific to the vendor which is again very annoying.
P.S. I found similar issue here:
Change AD user expired password in Java
but it was resolved when using AD Super user that can change everyone's password, but I don't want that, I need the user to be able to change their own passwords as this is reflects in the LDAP Password History.
Thanks
The user can't change his own password if he can't login. If his password is expired you have to reset it as an administrator and then log him in with that password and force him to change it immediately.
#Valentin Mezev:
Use account Admin getLdapContext, use this context to change password of another account.
Example:
LdapContext context = getLdapContext(url, dn_admin, pass_admin);
context.modifyAttributes(dn_change, modificationItems);
I have one question, i'm trying to to authenticate to AD via LDAP, and when i put invalid credentials i got exception message like this:
LDAPException(resultCode=49 (invalid credentials), errorMessage='80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0, and this is ok, but more exact reason of this exception is in part"data 52e", and it tell's me "invalid credentials ". When credentials are good but for example "password expired" in exception message i will get "data 532". This part of message can have different values depending of exception reason (533-account disabled, 701-account expired etc.). My problem is how to catch only this part of exception message. I want to handle the exception according to this error code. Fore example :
switch(err_code){
case 52e:
System.out.println("invalid credentials");
break;
case "530,":
System.out.println("not permitted to logon at this time");
break;
}
But I don't want to use regular expresions to match error code. Any ideas?
These codes are probably specific to Active Directory implementation. Have a look at the explanation to the similar question.
I'm using JNDI to change LDAP user's password. In most cases (when user's password isn't expired) this code works just fine:
public InitialLdapContext connect(String url, String securityPrincipal, String password) throws AuthenticationException, NamingException {
System.setProperty("javax.net.ssl.trustStore", truststore);
Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_PRINCIPAL, "EE\\" + securityPrincipal);
env.put(Context.SECURITY_CREDENTIALS, password);
env.put(Context.SECURITY_PROTOCOL, "ssl");
env.put("java.naming.ldap.version", "3");
env.put(Context.REFERRAL, "follow");
return new InitialLdapContext(env,null);
}
But when user with expired password tries to change it my app throws:
Exception: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1 ]
com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3041)
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
So my question is: Is it possible to change LDAP expired passwords? If it's possible, then tell how.
Thanx for help!
If you're using the password policy overlay you have to use the change-password extended request. It's not supported in the JDK but I've posted code for it in the Oracle Java JNDI forum.
The problem was resolved by creating Super User in Ad, which has rights to change every AD password. And when AD user password is expired, then the Super User changes his password.