Java, JNDI, AD, Expired Passwords

[bakarirum]

I have a delimma. I am trying to use Java and JNDI to allow a user to
update his (/her) password. I have searched all the groups and have
found all the standard examples. I have all the examples working with
the exception of one problem. If I try to call the java code below to
bind to a particular DN with the user's password and the password has
already expired, then an Exception is thrown that informs you that the
user's password has expired. I can catch this exception and handle as
needed. However, every time I try to validate under the credentials
with an account with the expired password, the exception is always
thrown and I cannot use that user's credentials to change his password.
I know you can use an administrator's account and binding and change
the password. However, this would require that a username/password be
store somewhere that a programmer could see. This is a security risk
that has to be avoided. How can you get around this problem? I have
posted the code below for completeness sake, however you have see the
code many times in the past.

Thank you,

Marc

Hashtable env = new Hashtable();
String principal = "CN=lookupname,CN=Users,DC=mydomain,DC=net";
String oldPassword = "lookuppass";

env.put(Context.INITIAL_CONTEXT_FACTORY,"com.sun.jndi.ldap.LdapCtxFactory");
//set security credentials, note using simple cleartext
authentication
env.put(Context.SECURITY_AUTHENTICATION,"simple");
env.put(Context.SECURITY_PRINCIPAL,principal);
env.put(Context.SECURITY_CREDENTIALS,oldPassword);
//specify use of ssl
env.put(Context.SECURITY_PROTOCOL,"ssl");
String ldapURL =
"ldaps://mymachine.mydomain.net:636/DC=mydomain,DC=net?sAMAccountName?sub?(objectClass=user)";
env.put(Context.PROVIDER_URL,ldapURL);
env.put(Context.REFERRAL,"follow");

//When calling the constructor for the InitialLdapContext, the
exception is thrown.
//I can catch the exception, but I cannot do anything with the ctx
reference.
//Exception stack trace listed below.
LdapContext ctx = new InitialLdapContext(env,null);

ModificationItem[] mods = new ModificationItem[2];
byte[] oldpass = ("\"" + oldPassword + "\"").getBytes("UTF-16LE");
byte[] newpass = ("\"" + "123pass" + "\"").getBytes("UTF-16LE");
mods[0] = new ModificationItem(DirContext.DELETE_ATTRIBUTE,
new BasicAttribute("unicodePwd",oldpass));
mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE,
new BasicAttribute("unicodePwd",newpass));
ctx.modifyAttributes (dn,mods);
ctx.close();

javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308:
LdapErr: DSID-0C09030B, comment: AcceptSecurityContext error, data 773,
v893
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2988)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2934)
at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2735)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2649)
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
at
com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
at
com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
at
com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
at
javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
at
javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
at javax.naming.InitialContext.init(InitialContext.java:219)
at javax.naming.InitialContext.<init>(InitialContext.java:195)
at
javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)

 

[Chris Uppal]

I know you can use an administrator's account and binding and change
the password. However, this would require that a username/password be
store somewhere that a programmer could see. This is a security risk
that has to be avoided. How can you get around this problem?

The typical solution to this kind of problem is for the administrator to set a
new password for the user which the user /must/ change when they next validate
themselves. I don't know enough about JNDI to say whether that functionality
is provided for you.

-- chris

 

[Nigel Wade]

I have a delimma. I am trying to use Java and JNDI to allow a user to
update his (/her) password. I have searched all the groups and have
found all the standard examples. I have all the examples working with
the exception of one problem. If I try to call the java code below to
bind to a particular DN with the user's password and the password has
already expired, then an Exception is thrown that informs you that the
user's password has expired. I can catch this exception and handle as
needed. However, every time I try to validate under the credentials
with an account with the expired password, the exception is always
thrown and I cannot use that user's credentials to change his password.

Obviously. If a user could bind with an expired password that would entirely
defeat the purpose of an expired password.

I know you can use an administrator's account and binding and change
the password. However, this would require that a username/password be
store somewhere that a programmer could see. This is a security risk
that has to be avoided. How can you get around this problem? I have
posted the code below for completeness sake, however you have see the
code many times in the past.

If you are not bother about password expiry, then don't use it. If you do want
to have passwords expire then an administrator account is required to override
it.