dcsimg
ADS Password Change over JNDI
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Thomas_Olbrich
Posted On:   Thursday, January 17, 2002 07:49 AM

I want to change a password of an user in Active Directory with JNDI. With the username and password I create an Context. Now I want to change the password. But I get error message: LDAP: error code 53 - 00002077: SvcErr: DSID-03190ACA, problem 5003 (WILL_NOT_PERFORM) Here is my Code: modificationItem[0] = new ModificationItem( DirContext.REMOVE_ATTRIBUTE, new BasicAttribute( "unicodePwd", new String( """ + oldPassword + """)) ); modificationItem[1] = new ModificationItem( DirContext.ADD_ATTRIBUTE, new BasicAttribute( "unicodePwd", new Strin   More>>

I want to change a password of an user in Active Directory with JNDI.
With the username and password I create an Context. Now I want to change the password.

But I get error message:


LDAP: error code 53 - 00002077: SvcErr: DSID-03190ACA, problem 5003 (WILL_NOT_PERFORM)

Here is my Code:


modificationItem[0] =

new ModificationItem(

DirContext.REMOVE_ATTRIBUTE,

new BasicAttribute( "unicodePwd", new String( """ + oldPassword + """))
);

modificationItem[1] =

new ModificationItem(

DirContext.ADD_ATTRIBUTE,

new BasicAttribute( "unicodePwd", new String( """+ newPassword + """))

);

try {

userContext.modifyAttributes("", modificationItem);
}

catch ( NamingException e1) {}

   <<Less

Re: ADS Password Change over JNDI

Posted By:   Kullervo_Kala  
Posted On:   Monday, January 28, 2002 07:27 AM


Isn't MS wonderful. Anyway this is solvable..you just have to do it MS way.
Jay Boyd wrote the following year or two ago:


Attribute unicodePwd can be written under restricted conditions, but cannot be read.


The syntax of this attribute is octet string, however the DS expects
that the octet string will contain a unicode string as the name of the attribute indicates. This means that any values for this attribute passed in LDAP must be Unicode strings BER encoded as an octet string. In addition, the unicode string must begin and end in quotes that are not part of the desired password.


This attribute can only be modified, not added on object creation, or read by a search. In order to modify this attribute the client must have a 128bit SSL connection to the server.


Currently this means that the encryption pack must be installed on the both the client and server.


Note that if you don't have the SSL and
certificate setup properly you will
get a
WILL_NOT_PERFORM
error.


Once you get those setup, you will get an ATTRIBUTE_CONSTRAINT_ERROR
if your password is not a quoted Unicode string.



So it's a little tricky, but I managed
to get it to work if these prerequirements were there.


Code sample for the tricky part i.e. how to encode the the password before trying to modify attribute value:



final String ATT_PWD = "unicodeString";

byte[] encodePassword(String pass) throws Exception{
// Weird MS stuff
final String ATT_ENCODING = "Unicode";
// Agree with MS's ATTRIBUTE_CONSTRAINT
String pwd = """ + pass +""";
byte _bytes[] = pwd.getBytes(ATT_ENCODING);
// strip unicode marker
byte bytes[] = new byte [_bytes.length - 2];
System.arraycopy(_bytes, 2, bytes, 0,_bytes.length - 2);
bytes.toString());
return bytes;
}


About | Sitemap | Contact