Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Java, JNDI, AD, Expired Passwords

30 views
Skip to first unread message

baka...@gmail.com

unread,
Feb 16, 2006, 8:42:30 AM2/16/06
to
I have a delimma. I am trying to use Java and JNDI to allow a user to
update his (/her) password. I have searched all the groups and have
found all the standard examples. I have all the examples working with
the exception of one problem. If I try to call the java code below to
bind to a particular DN with the user's password and the password has
already expired, then an Exception is thrown that informs you that the
user's password has expired. I can catch this exception and handle as
needed. However, every time I try to validate under the credentials
with an account with the expired password, the exception is always
thrown and I cannot use that user's credentials to change his password.
I know you can use an administrator's account and binding and change
the password. However, this would require that a username/password be
store somewhere that a programmer could see. This is a security risk
that has to be avoided. How can you get around this problem? I have
posted the code below for completeness sake, however you have see the
code many times in the past.

Thank you,

Marc

Hashtable env = new Hashtable();
String principal = "CN=lookupname,CN=Users,DC=mydomain,DC=net";
String oldPassword = "lookuppass";

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext
authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,principal);
env.put(Context.SECURITY_CREDENTIALS,oldPassword);
//specify use of ssl
env.put(Context.SECURITY_PROTOCOL,"ssl");
String ldapURL =
"ldaps://mymachine.mydomain.net:636/DC=mydomain,DC=net?sAMAccountName?sub?(objectClass=user)";
env.put(Context.PROVIDER_URL,ldapURL);
env.put(Context.REFERRAL,"follow");

//When calling the constructor for the InitialLdapContext, the
exception is thrown.
//I can catch the exception, but I cannot do anything with the ctx
reference.
//Exception stack trace listed below.
LdapContext ctx = new InitialLdapContext(env,null);

ModificationItem[] mods = new ModificationItem[2];
byte[] oldpass = ("\"" + oldPassword + "\"").getBytes("UTF-16LE");
byte[] newpass = ("\"" + "123pass" + "\"").getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.DELETE_ATTRIBUTE,
new BasicAttribute("unicodePwd",oldpass));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
new BasicAttribute("unicodePwd",newpass));
ctx.modifyAttributes (dn,mods);
ctx.close();

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773,
v893
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)

Chris Uppal

unread,
Feb 17, 2006, 8:20:07 AM2/17/06
to
baka...@gmail.com wrote:

> I know you can use an administrator's account and binding and change
> the password. However, this would require that a username/password be
> store somewhere that a programmer could see. This is a security risk
> that has to be avoided. How can you get around this problem?

The typical solution to this kind of problem is for the administrator to set a
new password for the user which the user /must/ change when they next validate
themselves. I don't know enough about JNDI to say whether that functionality
is provided for you.

-- chris


Nigel Wade

unread,
Feb 17, 2006, 9:30:50 AM2/17/06
to
baka...@gmail.com wrote:

> I have a delimma. I am trying to use Java and JNDI to allow a user to
> update his (/her) password. I have searched all the groups and have
> found all the standard examples. I have all the examples working with
> the exception of one problem. If I try to call the java code below to
> bind to a particular DN with the user's password and the password has
> already expired, then an Exception is thrown that informs you that the
> user's password has expired. I can catch this exception and handle as
> needed. However, every time I try to validate under the credentials
> with an account with the expired password, the exception is always
> thrown and I cannot use that user's credentials to change his password.

Obviously. If a user could bind with an expired password that would entirely
defeat the purpose of an expired password.

> I know you can use an administrator's account and binding and change
> the password. However, this would require that a username/password be
> store somewhere that a programmer could see. This is a security risk
> that has to be avoided. How can you get around this problem? I have
> posted the code below for completeness sake, however you have see the
> code many times in the past.
>


If you are not bother about password expiry, then don't use it. If you do want
to have passwords expire then an administrator account is required to override
it.


--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : n...@ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555

0 new messages