无法使用Spring LDAP在AD中更新密码和useraccountcontrol

时间:2015-03-10 13:16:51

标签: java spring active-directory spring-ldap

我是Spring LDAP和Active目录的新手,在AD中为新创建的用户更新密码时面临问题。

使用SPRING LDAP我首先在AD中成功创建了User,然后在我遇到异常时尝试更新用户的密码和useraccountcontrol。 我们一直在尝试过去一周,但无法解决。任何帮助/方向都受到高度赞赏。

我已经浏览了很多博客并尝试过以下两个博客中提到的但仍被阻止并获得同样的例外:

How do I resolve "WILL_NOT_PERFORM" MS AD reply when trying to change password in scala w/ the unboundid LDAP SDK?

Adding a user with a password in Active Directory LDAP

堆栈跟踪:

16:43:56,991 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)  INFO [http-localhost-127.0.0.1-8080-1] (HelperDao.java:26) - HelperDao.getNextUserId(): entry

16:43:57,007 INFO  [stdout] (http-localhost-127.0.0.1-8080-1) Hibernate:   SELECT LTRIM(TO_CHAR( IP_USER_XDUSERID_SEQ.nextval, '000000000000000000000000000')) ID from dual

16:43:57,164 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)  INFO [http-localhost-127.0.0.1-8080-1] (HelperDao.java:30) - HelperDao.getNextUserId(): exit

16:47:17,051 INFO  [stdout] (http-localhost-127.0.0.1-8080-1) 16:47:17.051 [http-localhost-127.0.0.1-8080-1] ERROR com.st.liotroevo.web.dao.UserADRepository - catching

16:47:17,051 INFO  [stdout] (http-localhost-127.0.0.1-8080-1) javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000200D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
16:47:17,067 INFO  [stdout] (http-localhost-127.0.0.1-8080-1) 
16:47:17,067 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160) ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840) ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1478) ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273) ~[?:?]
16:47:17,067 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190) ~[?:?]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:179) ~[?:?]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at org.springframework.transaction.compensating.support.CompensatingTransactionUtils.performOperation(CompensatingTransactionUtils.java:69) ~[spring-ldap-core-2.0.2.RELEASE.jar:2.0.2.RELEASE]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke(TransactionAwareDirContextInvocationHandler.java:85) ~[spring-ldap-core-2.0.2.RELEASE.jar:2.0.2.RELEASE]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.sun.proxy.$Proxy69.modifyAttributes(Unknown Source) ~[?:?]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.st.liotroevo.web.dao.UserADRepository.update(UserADRepository.java:104) [classes:?]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.st.liotroevo.web.service.UserService.updateUser(UserService.java:92) [classes:?]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at com.st.liotroevo.web.service.serviceImpl.IPRegistrationServiceImpl.createUser(IPRegistrationServiceImpl.java:72) [classes:?]
16:47:17,099 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111) [jbossws-common-2.0.2.GA.jar!/:2.0.2.GA]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181) [jbossws-cxf-server-4.0.2.GA.jar!/:4.0.2.GA]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:127) [jbossws-cxf-server-4.0.2.GA.jar!/:4.0.2.GA]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) [cxf-rt-core-2.4.6.jar!/:2.4.6]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-127.0.0.1-8080-1)       at java.util.concurrent.FutureTask.run(FutureTask.java:262) [?:1.7.0_45]

以下是代码段:

ldap.url=ldaps://url:636
ldap.userDn=CN=IP User,OU=AdminAccounts,DC=stp-qa,DC=st,DC=com
ldap.password=dummyPass
ldap.base=OU=ST,OU=People,DC=stp-qa,DC=st,DC=com
ldap.clean=false

@Entry(objectClasses = {  "top", "person", "organizationalPerson","user","st-individualpassportuser"})
public final class User {

    @Id
    private Name dn;

    @Attribute(name = "mail")
    private String email;

    @Attribute(name = "cn")
    @DnAttribute(value="cn",index=0)
    private String fullName;

    @Attribute(name = "givenName")
    private String firstName;

    @Attribute(name = "sn")
    private String lastName;

    @Attribute(name = "st-AccValidationStatus")
    private String accountStatus;

    @Attribute(name = "st-entryStatus")
    private String validationStatus;

    @Attribute(name = "whenCreated")
    private String creationDate;

    @Attribute(name = "st-ValidatedOn")
    private String validationDate;

    @Attribute(name = "st-ValidatedBy")
    private String validatedBy;

    @Attribute(name = "st-currentLogon")
    private String lastLogon;

    @Attribute(name = "st-loginRedirectURL")
    private String loginRedirectUrl;

    @Attribute(name = "st-jvCompany")
    private String jvCode;

    @Attribute(name = "sAMAccountName")
    private String samAccount;

    @Attribute(name = "st-userSpecifedCompany")
    private String employerName;

    @Attribute(name = "postalCode")
    private String zipCode;

    @Attribute(name="st-xduserid")
    private String xdUserId;

    @Attribute(name="st-Logincount")
    private String loginCount;

    @Attribute(name="unicodePwd")
    private byte[] unicodePassword;

    @Attribute(name="userAccountControl")
    private String userAccountControl;

    @Attribute(name="st-AccLastValidated")
    private String userAccLastValidated;

    @Attribute(name="st-secretQuestion")
    private String userSecretQuestion;

    @Attribute(name="st-secretAnswer")
    private String userAnswerToSecretQuestion;
    }

用于密码计算的Java类:

/**
 * Add unicode Password to userObject.
 * Ldap does not allow to set password/userAccountControl during creation of user by design, So need to update user after creation in AD with password and userAccountControl.
 * @param password
 */
private void addPasswordToUserProfile(String password) {

    String newQuotedPassword = "\"" +  password + "\"";
    try {
        byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
            int UF_NORMAL_ACCOUNT = 0x0200;
            int UF_PASSWORD_EXPIRED = 0x800000;
            adUserBean.setUserAccountControl(Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED));
            adUserBean.setUnicodePassword(newUnicodePassword);
    } catch (UnsupportedEncodingException e) {
        logger.catching(e);
    }
}

Repository.Java

@Repository
public class UserADRepository {

    @Autowired
    private LdapTemplate ldapTemplate;

    public User create(User user) {
        ldapTemplate.create(user);
        return user;
    }

    public User findByFullName(String fullName) {
        return ldapTemplate.findOne(
                LdapQueryBuilder.query().where("cn").is(fullName), User.class);
    }

    /**
     * Find user in LDAP based on User SamAccountName
     * @param samAccount
     * @return
     */
    public User findBySamAccountName(String samAccount) {
        User usr = null;
        try {
            usr = ldapTemplate.findOne(
                    LdapQueryBuilder.query().where("sAMAccountName")
                            .is(samAccount), User.class);
        } catch (EmptyResultDataAccessException emptyException) {
            return usr;
        }
        return usr;
    }

/**
 * Find user in LDAP based on User DN (distinguisedName) 
 * @param dn
 * @return
 */
    public User findByDn(Name dn) {
        User usr = null;
        try {
            usr = ldapTemplate.findByDn(dn, User.class);
        } catch (NameNotFoundException e) {
            return usr;
        }
        return usr;
    }

    /**
     * Update user in AD 
     * @param User
     */
    public void update(User User) {
        ldapTemplate.update(User);
    }

    public void delete(User User) {
        ldapTemplate.delete(User);
    }

提前感谢您提供帮助或解决此问题的方向。

2 个答案:

答案 0 :(得分:0)

用于更新AD密码使用单独的方法,似乎LdapTemplate.update()没有为密码定义正确的ModificationItem。

        public void setPassword(Person p){
        String relativeDn = getRelativeDistinguishedName(person.getDistinguishedName());
        LdapNameBuilder ldapNameBuilder = LdapNameBuilder.newInstance(relativeDn);
        Name dn  = ldapNameBuilder.build();

        DirContextOperations context = ldapTemplate.lookupContext(dn);

        Attribute attr = new BasicAttribute("unicodepwd", encodePassword(person.getPassword()));
        ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attr);

        ldapTemplate.modifyAttributes(dn, new ModificationItem[] {item});   
        }

答案 1 :(得分:0)

除了aalmero答案,似乎Spring Ldap存储库无法保存unicodePwd。

但是您可以使用LdapTemplate:

    UserAd userAd = new UserAd();
    // set your stuff
    userAdRepository.save(userAd);

    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", encodePassword("password-respecting-policies")));

    ldapTemplate.modifyAttributes(userAd.getDn(), mods);