Announcement Announcement Module
No announcement yet.
Spring LDAP and password history Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring LDAP and password history


    I've hooked up Spring LDAP to allow users to update their own passwords within Active Directory. This works fine, except that password policy is not enforced. The password complexity check works fine, but for things like password history passwords that should be rejected aren't and update without error.

    I've read through the forum and see a couple of references to policy enforcement with acegisecurity, but I'm not clear on the implementation or if it is necessary. I'm not interested in using this for auth or determining days until password expiration.

    Is acegisecurity the correct package to implement for this? If so, an example would be awesome. Any help would be welcome, thanks.

  • #2
    Solution for changing password in Active Directory

    After backing up a bit I was able to find the solution, did not have anything to do with Spring Security. LDAP treats a unicodePwd modification with a REPLACE_ATTRIBUTE as an administrative reset - set password - which ignores group policy (although it still enforced password complexity).

    LDAP treats a unicodePwd modification with a REMOVE_ATTRIBUTE and ADD_ATTRIBUTE as a user change - change password - and enforces policy, password history, etc.

    One more gotcha - if using admin creds for the LdapContextSource, these will not work changing a user password. You must get a separate context with the user auth, otherwise you get an AttributeInUseException, NO_ATTRIBUTE_OR_VAL.

    setPassword is straightforward:
    // set new password attribute
    Attribute passwordAttr = new BasicAttribute("unicodePwd", encodePassword(newPassword));
    ModificationItem repPasswordAttr = new ModificationItem(DirContextOperations.REPLACE_ATTRIBUTE, passwordAttr);
    // enable account if locked out
    Attribute enableAttr = new BasicAttribute("userAccountControl", Integer.toString(544));
    ModificationItem repEnableAttr = new ModificationItem(DirContextOperations.REPLACE_ATTRIBUTE, enableAttr);
    ldapTemplate.modifyAttributes(person.getDn(), new ModificationItem[] { repPasswordAttr, repEnableAttr});
    changePassword just needs the new context:
    // get context for user from existing context, can't be admin, context has to have auth as changing user
    DirContext ctx = ldapTemplate.getContextSource().getContext(person.getDnWithPath(), oldPassword);
    // set old/new password attributes
    ModificationItem[] mods = new ModificationItem[2];
    mods[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE, new BasicAttribute("unicodePwd", encodePassword(oldPassword)));
    mods[1] = new ModificationItem(DirContext.ADD_ATTRIBUTE, new BasicAttribute("unicodePwd", encodePassword(newPassword)));
    // Perform the update
    ctx.modifyAttributes(person.getDn(), mods);
    Hope that helps someone
    Last edited by kcshyman; Aug 21st, 2009, 02:13 PM.


    • #3
      Hi kcshyman,

      I am trying to use above changePassword code to update password in Active directory 2008. As suggested I tried to use user context to update the password. This is throwing the following exception: ion: [LDAP: error code 19 - 0000052D: AtrErr: DSID-03190F1B, #1:
      0: 0000052D: DSID-03190F1B, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)]; remaining name 'cn=johnDoe'
      The same exception is thrown even if I use admin context to change password. Any idea which constraints are getting violated ?

      Also, setPassword is working fine for admin context. But user context is throwing following exception:
      org.springframework.ldap.NoPermissionException: [LDAP: error code 50 - 00000005: SecErr: DSID-031A1169, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0


      • #4
        Finally, I was able to resolve this issue. I had set minimum password age as 4 days, so AD wasn’t allowing me to update the password. AD throws generic error CONSTRAINT_ATT_TYPE for all such violations. After setting minimum password age as 0 (None), everything works fine. AD password history also gets updated.