使用 JNDI 和最短密码期限在 AD 中创建用户帐户
因此,我想在 Windows 2003 中使用 JNDI 通过 Active Directory 创建一个用户帐户。我正在遵循以下示例: http://forums.sun.com/thread.jspa ?threadID=582103(第一篇文章)。以下代码引发 LDAP 错误,我认为这是由于创建用户然后设置受最短密码期限 1 天限制的密码的先有鸡还是先有蛋的问题所致。
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"Password2000\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Set password & updated userccountControl");
当我尝试设置我认为是最短密码期限的密码时,我收到 Ldap 错误代码:53 问题 5003(无法执行)。真正奇怪的是,如果我以域管理员身份进入活动目录用户和计算机,我也无法设置密码。我可以更改它的唯一方法是选择“重置密码”选项,然后启用“用户下次登录时必须更改帐户”。设置完毕后,我就可以通过编程方式和 GUI 来设置密码。
我还尝试在创建后但在代码中更改密码之前设置下次登录时更改密码,但这也不起作用。它确实更改了盒子,但我仍然无法更改密码并收到 5003 错误。
有没有人有过在 Windows 2003 上使用 JNDI 创建具有最低密码期限的用户的经验?任何帮助将不胜感激。
So I want to create a user account in Windows 2003 with Active Directory utilizing JNDI. I am following the following example: http://forums.sun.com/thread.jspa?threadID=582103 (first post). The following code is throwing an LDAP error I believe due to a chicken and egg problem of creating a user and then setting a password that is constrained by a minimum password age of 1 day.
//Replace the "unicdodePwd" attribute with a new value
//Password must be both Unicode and a quoted string
String newQuotedPassword = "\"Password2000\"";
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));
// Perform the update
ctx.modifyAttributes(userName, mods);
System.out.println("Set password & updated userccountControl");
I am getting a Ldap Error Code: 53 problem 5003 (unable to perform) when it tries to set the password which I believe is the minimum password age. What is really odd is that if I go into active directory users and computers as the domain admin I can't set the password either. The only way I can get it to change is if I select the reset password' option and then enable the 'user must change account at next logon.' After I set this, then I can set the password both programmatically and through the GUI.
I also tried setting the change password at next logon after the create but before I did the password change in my code but this didn't work either. It did change the box but I still was unable to change the password and got the 5003 error.
Has anyone had any experience using JNDI to create users with a minimum password age on Windows 2003? Any help would be much appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您需要使用 SSL 连接来修改 unicodePwd 属性的值,
请参阅此链接:
https:// /msdn.microsoft.com/en-us/library/cc223248.aspx
Windows 2000 操作系统服务器要求客户端具有与 DC 的 128 位(或更好)SSL/TLS 加密连接,以便修改该属性。在Windows Server 2003操作系统、Windows Server 2008操作系统、Windows Server 2008 R2操作系统、Windows Server 2012操作系统、Windows Server 2012 R2操作系统和Windows Server 2016操作系统上,DC还允许修改unicodePwd属性由 128 位(或更好)简单身份验证和安全层 (SASL) 层加密而不是 SSL/TLS 保护的连接。
you need to use SSL connection to modify value of unicodePwd attribute
see this link:
https://msdn.microsoft.com/en-us/library/cc223248.aspx
Windows 2000 operating system servers require that the client have a 128-bit (or better) SSL/TLS-encrypted connection to the DC in order to modify this attribute. On Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 operating system, the DC also permits modification of the unicodePwd attribute on a connection protected by 128-bit (or better) Simple Authentication and Security Layer (SASL)-layer encryption instead of SSL/TLS.
几个月前,我使用 Java 来管理 AD 服务器。
它运行良好,但有一件重要的事情需要知道:密码是 AD 中的“受保护”属性:
因此,在 Java 代码中,您必须使用“https://...”地址访问 AD,并在 JNDI 连接属性中指定 SSH 协议。该过程的解释如下:http://java.sun。 com/products/jndi/tutorial/ldap/security/ssl.html
I used Java a few months ago to admin an AD server.
It works well, but there is an important thing to know: password is a "protected" attribute in AD:
So, in your Java code, you have to access the AD with a "https://..." adress, and to specify the SSH protocol in your JNDI connection attributes. The procedure is explained here: http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html