Change password in Active Directory using the JNDI GSS-API/Kerberos
Hi
I am trying to the JNDI GSS-API to change a user password.
When I actually try to change the password using ctx.modifyAttributes(userName, mods), I get the exception:
09:39:38,163 ERROR [STDERR] javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 ]; remaining name 'CN=USER,OU=Usuarios,DC=testead,DC=br'
Here's my java code:
public class ChangePasswordLDAPCommand implements Command {
static Logger logger = Logger.getLogger(ChangePasswordLDAPCommand.class.getName());
@SuppressWarnings("unchecked")
public boolean execute(org.apache.commons.chain.Context context) throws ApplicationException {
logger.info("Início - execute");
try {
CoreConfig config = CoreConfig.getInstance();
String userName = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME);
char[] password = config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD).toCharArray();
Subject subject = new Subject();
Krb5LoginModule krb5LoginModule = new Krb5LoginModule();
Map<String, String> map = new HashMap<String, String>();
Map<String, String> shared = new HashMap<String, String>();
map.put("com.sun.security.auth.module.Krb5LoginModule","required");
map.put("client","true");
map.put("useTicketCache","true");
map.put("doNotPrompt","true");
map.put("useKeyTab","true");
map.put("useFirstPass","true");
map.put("refreshKrb5Config","true");
logger.info(">>>>> map.toString(): "+map.toString());
shared.put("javax.security.auth.login.name", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
shared.put("javax.security.auth.login.password", config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
shared.put("javax.net.debug","SSL,handshake,trustmanager");
shared.put("sun.security.krb5.debug","true");
shared.put("com.sun.jndi.ldap.connect.pool.timeout","30000");
logger.info(">>>>> shared.toString(): "+shared.toString());
krb5LoginModule.initialize(subject, new UserNamePasswordCallbackHandler(userName,password),shared,map);
krb5LoginModule.login();
if(krb5LoginModule.commit()){
//Recupera o usuario a ser alterado
UsuarioTOLDAP usuarioTO = (UsuarioTOLDAP) context.get(CoreConfig.USUARIO_TO_LDAP);
logger.info(">>>>>>>>>>>>>>>>>>>>>> subject.toString(): "+subject.toString());
Subject.doAsPrivileged(subject, new JndiAction(usuarioTO), null);
} catch (LoginException e) {
e.printStackTrace();
} catch (PrivilegedActionException e) {
e.printStackTrace();
logger.info("Fim - execute");
return Command.CONTINUE_PROCESSING;
@SuppressWarnings("unchecked")
public class JndiAction implements java.security.PrivilegedExceptionAction{
private static Logger logger = Logger.getLogger(JndiAction.class.getName());
private UsuarioTOLDAP usuarioTOLDAP = null;
public JndiAction(UsuarioTOLDAP usuarioTO) {
this.usuarioTOLDAP = usuarioTO;
public Object run() {
performJndiOperation(usuarioTOLDAP);
return null;
@SuppressWarnings("unchecked")
private static void performJndiOperation(UsuarioTOLDAP usuarioTOLDAP){
logger.info(">>>>> entrei na JndiOperation");
try {
CoreConfig config = CoreConfig.getInstance();
String distinguishedName = "";
String keystore = "C:/Documents and Settings/user/.keystore";
System.setProperty(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
System.setProperty("com.sun.jndi.ldap.connect.pool.timeout","30000");
System.setProperty("javax.net.debug","all");
System.setProperty("sun.security.krb5.debug","true");
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, CoreConfig.INITIAL_CONTEXT_FACTORY);
env.put(Context.PROVIDER_URL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_URL));
env.put(Context.SECURITY_AUTHENTICATION, CoreConfig.SECURITY_PROTOCOL_GSSAPI);
env.put(Context.SECURITY_PRINCIPAL, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_NAME));
env.put(Context.SECURITY_CREDENTIALS, config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_ADMIN_PASSWORD));
env.put(CoreConfig.JAVAX_NET_SSL_TRUSTSTORE,keystore);
env.put("javax.security.sasl.qop","auth-int");
env.put("javax.security.sasl.strength","high");
env.put("javax.security.sasl.server.authentication","true");
String userName = "CN=USER,"+config.getProperty(CoreConfig.PARAM_CONFIG_LDAP_BASE_DN);
// Cria o contexto inicial de acesso ao LDAP
//DirContext ctx = new InitialDirContext(env);
// Create the initial directory context
LdapContext ctx = new InitialLdapContext(env,null);
//set password is a ldap modfy operation
ModificationItem[] mods = new ModificationItem[1];
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"" + usuarioTOLDAP.getNovaSenha() + "\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
// Perform the update
ctx.modifyAttributes(userName, mods);
ctx.close();
} catch (NamingException e1) {
e1.printStackTrace();
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}Edited by: c0m4nch3 on Jan 21, 2010 12:13 PM
Refer to my response for a similar question in http://forums.sun.com/thread.jspa?threadID=5416736
Also the following may be related: http://forums.sun.com/thread.jspa?threadID=5196192
Good luck.
Similar Messages
-
Changing user password in Active Directory using the JNDI GSS-API/Kerberos5
Hello,
I am trying to the JNDI GSS-API to change a user password on an Active Directory Server 2003. I have seen a variation of this using SSL on the thread [*http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0*|http://forums.sun.com/thread.jspa?threadID=592611&start=0&tstart=0]
but I can't seem to make this work using the GSS-API. I can successfully create a javax.security.auth.login.LoginContext.LoginContext and then call the login method on it to log in as a user. I then call the javax.security.auth.Subject.doAs() method which calls the run method in a class extending the javax.security.PrivilegedActionClass. But when I actually try to change the password using InitialDirContext.modifyAttributes(), I get the exception:
*javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190DC9, problem 5003 (WILL_NOT_PERFORM), data 0*
*If anyone can help me figure out why it doesn't work, that would be great!*
P.S: I know the error seems to suggest that there might be some active directory setting that is preventing this from working, but I've checked all relevant settings on the Windows 2003 server Active Directory that I can think of: In the User properties->Account->Account options, I've made sure the user can change password. Also, in the Group Policy->Computer Configuration->Windows Settings->Security Settings->Account Policies->Password Policy, Maximum password age is zero and so is minimum password age.
Here's my java code:
{code}import javax.naming.*;
import javax.security.auth.*;
import java.security.PrivilegedAction;
import java.io.UnsupportedEncodingException;
public void changeSecret((String uid, String oldPassword, String newPassword)
throws NamingException, ACException{
try {
K5CallbackHandler cb = new K5CallbackHandler(uid, oldPassword);
LoginContext lc = new LoginContext("marker", cb);
lc.login();
Subject.doAs(lc.getSubject(), new ChangePasswordAction(rz.getName(), oldPassword, newPassword));
catch(LoginException e) {
try {
lc.logout();
catch(LoginException e) {
}ChangePasswordAction.java is:import javax.naming.*;
import javax.naming.naming.directory.*;
import java.io.UnsupportedEncodingException;
private class ChangePasswordAction implements PrivilegedAction {
private String uid;
private String quotedOldPassword;
private String quotedNewPassword;
public ChangePasswordAction(String uid, String oldPassword, String newPassword) {
this.uid = uid;
quotedOldPassword = "\"" + oldPassword + "\"";
quotedNewPassword = "\"" + newPassword + "\"";
public Object run() {
Hashtable env = new Hashtable(11);
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, "ldap://ad2k3:389");
env.put(Context.SECURITY_AUTHENTICATION, "GSSAPI");
try {
DirContext ctx = new InitialDirContext(env);
ModificationItem[] mods = new ModificationItem[2];
byte[] oldPasswordUnicode = quotedOldPassword.getBytes("UTF-16LE");
byte[] newPasswordUnicode = quotedNewPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", oldPasswordUnicode));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", newPasswordUnicode));
ctx.modifyAttributes(uid, mods);
ctx.close();
} catch (NamingException e) {
} catch (UnsupportedEncodingException e) {
return null;
}K5CallbackHandler is:import javax.security.auth.callback.*;
final class K5CallbackHandler
implements CallbackHandler {
private final String name;
private final char[] passwd;
public K5CallbackHandler(String nm, String pw) {
name = nm;
if(pw == null) {
passwd = new char[0];
else {
passwd = pw.toCharArray();
public void handle(Callback[] callbacks)
throws java.io.IOException, UnsupportedCallbackException {
for(int i = 0; i < callbacks.length; i++) {
if(callbacks[i] instanceof NameCallback) {
NameCallback cb = (NameCallback) callbacks;
cb.setName(name);
else {
if(callbacks[i] instanceof PasswordCallback) {
PasswordCallback cb = (PasswordCallback) callbacks[i];
cb.setPassword(passwd);
else {
throw new UnsupportedCallbackException(callbacks[i]);
}The relevant entry in the JAAS.conf file that is referred to as "marker" in the LoginContext constructor is:
marker {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;This is one of the two Active Directory operations I have never solved using Java/JNDI. (FYI the other one is Cross Domain Move).
My gut feel is that the underlying problem (which happens to be common to both Change Password & X-Domain Move) is that Java/JNDI/GSSAPI does not negotiate a sufficiently strong key length that allows Active Directory to change passwords or perform cross domain moves when using Kerberos & GSSAPI.
Active Directory requires at a minimum, 128 bit key lengths for these security related operations.
In more recent Kerberos suites and Java versions, support for RC4-HMAC & AES has been introduced, so it may be possible that you can negotiate a suitably string key length.
Make sure that your Kerberos configuration is using either RC4-HMAC or AES and that Java is requesting a strong level of protection. (You can do this by adding //Specify the quality of protection
//Eg. auth-conf; confidentiality, auth-int; integrity
//confidentiality is required to set a password
env.put("javax.security.sasl.qop","auth-conf");
//require high strength 128 bit crypto
env.put("javax.security.sasl.strength","high"); in your ChangePasswordAction class.
You may also want to enable sasl logging in your app to see what exactly is going on and you may also want to check on the Java Security forum how to configure/enforce/check both RC4-HMAC or AES is used as the Kerbeos cipher suite and that a string key length is being used.
Good luck. -
How to change password in Active Directory from a Mac
When loggin into Active Directory I can enter my password without a problem, but I am required to change it periodically and I can't see an option for changing the password. Does anyone have experience with this on their Mac when accessing Active Directory?
ThanksIn the accounts section of system preferences there should be a Change Password… button next to to your account picture. That's how we do it in Tiger, but it should work in Leopard too.
-
Creating MailBox-enabled Users In Active Directory Using JNDI
Thanks to the Various code samples i have come across in this forum i have been able to use the JNDI API to add a new user to the Microsoft Active directory.
The user account that was added using a combination of the various code samples was already enabled. but the problem is that the user does not have an Exchange MailBox created/enabled as well.
When attempts were made to access the users IMAP mailbox from an external webmail client, the following message:
"No Such Object On The Server"
Was Recieved.
I am wondering wether there is an attribute i am missing out. or something.
i would welcome any suggestions.
please treat as urgent.
thank you in anticipation
Below is the list of attributes i set:
BasicAttributes ba=new BasicAttributes();
ba.put(new BasicAttribute("userPrincipalName","[email protected]"));
ba.put(new BasicAttribute("sAMAccountName","fagu"));
ba.put(new BasicAttribute("title","Anyhow"));
ba.put(new BasicAttribute("mail","[email protected]"));
ba.put(new BasicAttribute("mailNickname","fagu"));
ba.put(new BasicAttribute("objectClass","user"));
ba.put(new BasicAttribute("displayName","Festus Agu"));
ba.put(new BasicAttribute("sn","Agu"));
ba.put(new BasicAttribute("userAccountControl","66048"));
//ba.put(new BasicAttribute("unicodePwd ","fagu"));
ba.put(new BasicAttribute("mDBUseDefaults","TRUE"));
ba.put(new BasicAttribute("homeMTA","CN=Microsoft MTA,CN=XSOCKET2,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=SocketWorks,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=socketworkscorp,DC=localdomain"));
ba.put(new BasicAttribute("msExchHomeServerName", "/o=SocketWorks/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=XSOCKET2"));
ba.put(new BasicAttribute("distinguishedName","CN=Festus"));I am trying to create a MailBox enabled user in AD.I am setting all the attributes that are mentioned above.
Still i am unable to create a user.I guess i am messing up with password and getting error "javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-031D0AAB,
problem 5003 (WILL_NOT_PERFORM), data 0"
Is it that SSL is must to create a user.I saw a certificate on Exchange server.But i am using a simple protocal to create a user.
Please help me with the steps needed to create a user if i have to use SSL or is there is any settings to be turned on the server.
Thanks!!
-
My iCloud email address and my apple ID are different. I would like to change my iCloud to be the same as my apple ID. However I don't know my iCloud password and don't use the email address it belongs to. When I try to change the password, apple brings me to a page to reset my apple ID password (which I know and don't want to change). I have even tried to delete my iCloud account completely to start again but am not allowed without the iCloud password (which I don't have) there doesn't seem to be a place to change the email address of iCloud. What can I do?
This is the answer that I had expected, so in this case you could only change your gmail.com address to another providers email addres e.g. outlook.com, yahoo.com, etc., but you won't be able to change the gmail.com address to a icloud.com email address. Apple just won't let you do that.
Your iCloud account with @icloud.com email address and you Apple ID with gmail.com address are already connected and as I said before, Apple just let you merge this two IDs together. -
I just set an administrators name (my full name) and password for parental controls (using the one I always use) and now after restarting and trying to make changes to aprental controls it does not recognize my password
Hello, do you have another admin account to log into for a test?
-
I changed my Apple ID and password. When I use the Apple ID it still show up at old Apple ID. I can't login or purchase anything??? What can I do??
Hi,
I had this problem too. Log out on everything you can be logged on with your apple id. After that log in with your new email and password. Hope it helps! -
Portal Password Reset - Active Directory - Urgent
Friends
We are using SAP Portal 6.0 SP 18. The Portal UME data source has been configured with Microsoft ADS.
Now we have an requirement to change the user Password in the Active Directory from the Portal.
How can we achieve this...? I am OK even to do some development for this.
Please let me know the mechanism.You can use the UME API to change your own password on a Microsoft Active Directory server, but before that please see the SAP note 876938. Also please see the SAP note 613577, this note have an attachment, it is very helpful. Useful blog <a href="https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/1789">User management API in WebDynpro</a> for how to use UME API's.
Regards,
Nitin -
Problem in provisioning user from oim to active directory using ssl
hi,
problem in provisioning user from oim to active directory using ssl i am getting following error while provisioning user to AD.
15:18:12,984 ERROR [ADCS] Communication Errorsimple bind failed: 172.16.30.35:636
15:18:12,984 ERROR [ADCS] The error occured in tcADUtilLDAPController::connectTo
AvailableAD():simple bind failed: 172.16.30.35:636
15:18:13,015 ERROR [SERVER] Class/Method: tcProperties/tcProperties encounter so
me problems: Must set a query before executing
com.thortech.xl.dataaccess.tcDataSetException: Must set a query before executing
at com.thortech.xl.dataaccess.tcDataSet.checkExecute(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataaccess.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.tcDataSet.executeQuery(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.<init>(Unknown Source)
at com.thortech.xl.dataobj.util.tcProperties.initialize(Unknown Source)
at Thor.API.tcUtilityFactory.getLocalUtility(Unknown Source)
at Thor.API.tcUtilityFactory.getUtility(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.co
nnectToAvailableNextAD(Unknown Source)
at com.thortech.xl.integration.ActiveDirectory.tcADUtilLDAPController.se
archResultPageEnum(Unknown Source)
at com.thortech.xl.schedule.tasks.ADLookupRecon.performReconciliation(Un
known Source)
at com.thortech.xl.schedule.tasks.ADLookupReconTask.execute(Unknown Sour
ce)
at com.thortech.xl.scheduler.tasks.SchedulerBaseTask.run(Unknown Source)
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper$TaskExecutionActi
on.run(Unknown Source)
at Thor.API.Security.LoginHandler.jbossLoginSession.runAs(Unknown Source
at com.thortech.xl.scheduler.core.quartz.QuartzWrapper.execute(Unknown S
ource)
at org.quartz.core.JobRunShell.run(JobRunShell.java:203)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.j
ava:520)
can any one help.
Thanks and Regards,
praveen,Are you able to connect to AD over SSL through some LDAP Browser ?
Check the validity of Certificate ?
Does your certificate appear in the list ? -
How to save hr data in Active directory using abap
Hi all
can any one please help me out how to save hr data in Active directory using LDAP connector
please help as this is very urgent requirement
thanks in advance
Thanks
ChantiWhat form do you have the user's name in ?
ANTIPODES\alberteString searchFilter = "(&(objectClass=user)(samAccountName=alberte))";[email protected] searchFilter = "(&(objectClass=user)(userPrincipalName=[email protected]))";Albert EinsteinString searchFilter = (&(objectClass=user)(givenName=Albert)(sn=Einstein))";or using Ambiguous Name Resolution (anr)String searchFilter = "(&(objectClass=user)(anr=Albert Einstein))";or it's even clever enough to useString searchFilter = "(&(objectClass=user)(anr=Einstein Albert))"; -
How to add or modify an entry using the JNDI
Hi all,
Usually I have used the netscape library to write directory application, now I have to use the JNDI ...
Could I have some examples about the add modify and delete entry on the directory?
Thanks a lot!
M@xDownload the LDAP Service provider at http://java.sun.com/products/jndi/index.html#download_ldap
It has some example code too -
can you set up a new I Tunes account, but still use the same email address, as having problems with it keep telling me it has been disabled, no matter what I do to change the passwords, I haven't used the account since 2010?
Hi eddinchina,
You should have no need to use the Old Sync account.
As long as device or devices are Firefox 29 or later (They should all be Firefox 30 now) you should use the New Sync.
You may use the same email address with both accounts. -
HT5463 I changed password but can not use new password on phone. Why?
I changed password but can not use new password on phone. Why?
Start with the Settings app
Settings > iTunes and App Store > tap on your Apple ID and then tap on Sign Out
Then sign in with your correct Apple ID and password. -
our granddaughter has a ipod. She's getting a iphone and a mini idpad. what is the best way to set them up. Does she need a new apple id and password or would she use the same one she has for her ipod
Just use the same one on all devices.
-
How to save HR data in Active Directory using ABAP i.e thru LDAP Connector
Hi All,
Can any one please help me out how
to save HR data in Active directory
using LDAP Connector ?
Please help ASAP as it is very urgent .
Thanks
JitendraThere are 100 of such scripts are there online.
here are few tips and codes. you will get more.
https://gallery.technet.microsoft.com/scriptcenter/Feeding-data-to-Active-0227d15c
http://blogs.technet.com/b/heyscriptingguy/archive/2012/10/31/use-powershell-to-modify-existing-user-accounts-in-active-directory.aspx
http://powershell.org/wp/forums/topic/ad-import-csv-update-attributes-script/
Please mark this as answer if it helps
Maybe you are looking for
-
So I took a picture of a generic mac osx snow leopard folder (png), layered a picture of a movie reel onto it (png) using the application Gimp, then saved this complete picture as a png. I then took this picture and dragged it into Icon Composer & fr
-
Problem in printing the JTable values
Dear Friends, I have to print the JTable values (on paper using print dialogue box). I'm using jtableObj.print to print the table values. But jtableObj.print takes more time to print the table values because it prints the values as a image(approximat
-
User defined record types in package header
hi. is there a way in sql developer to view just the record type names? for example, i have: TYPE my_rec_type_1 IS RECORD(...); TYPE my_rec_type_2 IS RECORD(...); TYPE my_rec_type_3 IS RECORD(...); and all i want to see is a list showing my_rec_type_
-
Problem with new subcontracting code
Hi, We are trying to create a logistics order for new material code. I have created a BoM for the code at plant 3237 which is the dummy plant we use to manage the basesheet. However, the logistics order does not pull in the basesheet as a material
-
TS1368 I can't get in to my i tune
Can't get to my iTunes account