我是Spring LDAP和Active Directory的新手,在AD中为新创建的用户更新密码时面临问题。
使用SPRING LDAP,我首先在AD中成功创建了用户,然后尝试更新用户的密码和useraccountcontrol时,我得到下面的异常。我们一直在尝试过去1周,无法解决。任何帮助/方向是高度赞赏。
我已经通过许多博客,并尝试在下面两个博客中提到的,但仍然被阻止,并得到相同的例外:
How do I resolve "WILL_NOT_PERFORM" MS AD reply when trying to change password in scala w/ the unboundid LDAP SDK?
Adding a user with a password in Active Directory LDAP
堆栈跟踪:
16:43:56,991 INFO [stdout] (http-localhost-127.0.0.1-8080-1) INFO [http-localhost-127.0.0.1-8080-1] (HelperDao.java:26) - HelperDao.getNextUserId(): entry
16:43:57,007 INFO [stdout] (http-localhost-127.0.0.1-8080-1) Hibernate: SELECT LTRIM(TO_CHAR( IP_USER_XDUSERID_SEQ.nextval, '000000000000000000000000000')) ID from dual
16:43:57,164 INFO [stdout] (http-localhost-127.0.0.1-8080-1) INFO [http-localhost-127.0.0.1-8080-1] (HelperDao.java:30) - HelperDao.getNextUserId(): exit
16:47:17,051 INFO [stdout] (http-localhost-127.0.0.1-8080-1) 16:47:17.051 [http-localhost-127.0.0.1-8080-1] ERROR com.st.liotroevo.web.dao.UserADRepository - catching
16:47:17,051 INFO [stdout] (http-localhost-127.0.0.1-8080-1) javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000200D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
16:47:17,067 INFO [stdout] (http-localhost-127.0.0.1-8080-1)
16:47:17,067 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3160) ~[?:1.7.0_45]
16:47:17,067 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) ~[?:1.7.0_45]
16:47:17,067 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2840) ~[?:1.7.0_45]
16:47:17,067 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1478) ~[?:1.7.0_45]
16:47:17,067 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:273) ~[?:?]
16:47:17,067 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:190) ~[?:?]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:179) ~[?:?]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:167) ~[?:1.7.0_45]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_45]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_45]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_45]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_45]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at org.springframework.transaction.compensating.support.CompensatingTransactionUtils.performOperation(CompensatingTransactionUtils.java:69) ~[spring-ldap-core-2.0.2.RELEASE.jar:2.0.2.RELEASE]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke(TransactionAwareDirContextInvocationHandler.java:85) ~[spring-ldap-core-2.0.2.RELEASE.jar:2.0.2.RELEASE]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.sun.proxy.$Proxy69.modifyAttributes(Unknown Source) ~[?:?]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.st.liotroevo.web.dao.UserADRepository.update(UserADRepository.java:104) [classes:?]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.st.liotroevo.web.service.UserService.updateUser(UserService.java:92) [classes:?]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at com.st.liotroevo.web.service.serviceImpl.IPRegistrationServiceImpl.createUser(IPRegistrationServiceImpl.java:72) [classes:?]
16:47:17,099 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_45]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) ~[?:1.7.0_45]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.7.0_45]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at java.lang.reflect.Method.invoke(Method.java:606) ~[?:1.7.0_45]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at org.jboss.ws.common.invocation.AbstractInvocationHandlerJSE.invoke(AbstractInvocationHandlerJSE.java:111) [jbossws-common-2.0.2.GA.jar!/:2.0.2.GA]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal(JBossWSInvoker.java:181) [jbossws-cxf-server-4.0.2.GA.jar!/:4.0.2.GA]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke(JBossWSInvoker.java:127) [jbossws-cxf-server-4.0.2.GA.jar!/:4.0.2.GA]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58) [cxf-rt-core-2.4.6.jar!/:2.4.6]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) [?:1.7.0_45]
16:47:17,115 INFO [stdout] (http-localhost-127.0.0.1-8080-1) at java.util.concurrent.FutureTask.run(FutureTask.java:262) [?:1.7.0_45]下面是代码片段:
ldap.url=ldaps://url:636
ldap.userDn=CN=IP User,OU=AdminAccounts,DC=stp-qa,DC=st,DC=com
ldap.password=dummyPass
ldap.base=OU=ST,OU=People,DC=stp-qa,DC=st,DC=com
ldap.clean=false
@Entry(objectClasses = { "top", "person", "organizationalPerson","user","st-individualpassportuser"})
public final class User {
@Id
private Name dn;
@Attribute(name = "mail")
private String email;
@Attribute(name = "cn")
@DnAttribute(value="cn",index=0)
private String fullName;
@Attribute(name = "givenName")
private String firstName;
@Attribute(name = "sn")
private String lastName;
@Attribute(name = "st-AccValidationStatus")
private String accountStatus;
@Attribute(name = "st-entryStatus")
private String validationStatus;
@Attribute(name = "whenCreated")
private String creationDate;
@Attribute(name = "st-ValidatedOn")
private String validationDate;
@Attribute(name = "st-ValidatedBy")
private String validatedBy;
@Attribute(name = "st-currentLogon")
private String lastLogon;
@Attribute(name = "st-loginRedirectURL")
private String loginRedirectUrl;
@Attribute(name = "st-jvCompany")
private String jvCode;
@Attribute(name = "sAMAccountName")
private String samAccount;
@Attribute(name = "st-userSpecifedCompany")
private String employerName;
@Attribute(name = "postalCode")
private String zipCode;
@Attribute(name="st-xduserid")
private String xdUserId;
@Attribute(name="st-Logincount")
private String loginCount;
@Attribute(name="unicodePwd")
private byte[] unicodePassword;
@Attribute(name="userAccountControl")
private String userAccountControl;
@Attribute(name="st-AccLastValidated")
private String userAccLastValidated;
@Attribute(name="st-secretQuestion")
private String userSecretQuestion;
@Attribute(name="st-secretAnswer")
private String userAnswerToSecretQuestion;
}用于密码计算的Java类:
/**
* Add unicode Password to userObject.
* Ldap does not allow to set password/userAccountControl during creation of user by design, So need to update user after creation in AD with password and userAccountControl.
* @param password
*/
private void addPasswordToUserProfile(String password) {
String newQuotedPassword = "\"" + password + "\"";
try {
byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
int UF_NORMAL_ACCOUNT = 0x0200;
int UF_PASSWORD_EXPIRED = 0x800000;
adUserBean.setUserAccountControl(Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED));
adUserBean.setUnicodePassword(newUnicodePassword);
} catch (UnsupportedEncodingException e) {
logger.catching(e);
}
}Repository.Java
@Repository
public class UserADRepository {
@Autowired
private LdapTemplate ldapTemplate;
public User create(User user) {
ldapTemplate.create(user);
return user;
}
public User findByFullName(String fullName) {
return ldapTemplate.findOne(
LdapQueryBuilder.query().where("cn").is(fullName), User.class);
}
/**
* Find user in LDAP based on User SamAccountName
* @param samAccount
* @return
*/
public User findBySamAccountName(String samAccount) {
User usr = null;
try {
usr = ldapTemplate.findOne(
LdapQueryBuilder.query().where("sAMAccountName")
.is(samAccount), User.class);
} catch (EmptyResultDataAccessException emptyException) {
return usr;
}
return usr;
}
/**
* Find user in LDAP based on User DN (distinguisedName)
* @param dn
* @return
*/
public User findByDn(Name dn) {
User usr = null;
try {
usr = ldapTemplate.findByDn(dn, User.class);
} catch (NameNotFoundException e) {
return usr;
}
return usr;
}
/**
* Update user in AD
* @param User
*/
public void update(User User) {
ldapTemplate.update(User);
}
public void delete(User User) {
ldapTemplate.delete(User);
}提前感谢您的帮助或指导,以解决此问题。
3条答案
按热度按时间yebdmbv41#
更新AD密码使用一个单独的方法,似乎LdapTemplate.update()没有为密码定义正确的ModificationItem。
8e2ybdfx2#
除了aalmero回答,似乎Spring Ldap存储库无法保存unicodePwd。
但是你可以使用LdapTemplate:
n8ghc7c13#
还要求使用SSL