在 springboot 应用程序中使用 UnboundID 时,密码策略在 Windows server 2016 AD 中无法完全工作
Password policy is not working completely in Windows server 2016 AD while using UnboundID in springboot app
我在 Windows server 2016 中遇到一个 AD 问题,其密码策略如下:
现在在带有 UnboundID 的 Springboot 应用程序中,我发现的第一个问题是在我更改密码时忽略了最短密码使用期限规则,AD 没有错误,应用程序正确更改了密码,像这样:
public String changePassword(UserAndPasswordDTO credentials) {
// Create connection with active directory
final LDAPConnection connection = this.createADConnection(myHost, Integer.parseInt(port), dn, password);
if (connection != null) {
try {
// Properly encode the password. It must be enclosed in quotation marks,
// and it must use a UTF-16LE encoding.
logger.debug("Going to encode the password.");
byte[] quotedPasswordBytes = null;
try {
final String quotedPassword = '"' + credentials.getPassword() + '"';
quotedPasswordBytes = quotedPassword.getBytes("UTF-16LE");
} catch (final UnsupportedEncodingException uee) {
logger.error("Unable to encode the quoted password in UTF-16LE: "
+ StaticUtils.getExceptionMessage(uee));
}
// Search in active directory
SearchResult searchResult = connection.search("dc=" + domain + ",dc=com", SearchScope.SUB,
"sAMAccountName=" + credentials.getUsername());
List<SearchResultEntry> searchEntries = searchResult.getSearchEntries();
if (searchEntries.size() != 1) {
// The search didn't match exactly one entry.
logger.debug("Coming out of the change password service");
return "The search didn't match exactly one entry.";
} else {
// Get the dn value of the search
String userDN = searchEntries.get(0).getAttribute("distinguishedName").getValue();
// Attempt to modify the user password.
final Modification mod = new Modification(ModificationType.REPLACE, "unicodePwd",
quotedPasswordBytes);
connection.modify(userDN, mod);
logger.debug("Coming out of the change password service");
return "Password changed succesfully";
}
} catch (LDAPException e) {
logger.error("Error when try to search the user to modify his password");
logger.debug("Coming out of the change password service");
return "Error when try to search the user to modify his password";
} finally {
connection.close();
}
} else {
// Connection to AD is null
logger.debug("Connection to active directory is null");
logger.debug("Coming out of the change password service");
return "Active Directory connection error";
}
}
在这种情况下,也应该执行强制密码历史记录,但它允许重复密码,即将密码更改为 abc+000 连续 10 次以上,这意味着此密码历史记录不会生成错误或其他内容.所以,我的问题来了……为什么会这样?我该如何解决?任何帮助将不胜感激。谢谢!
PD:我测试了复杂性要求和长度规则,它们运行良好,为 AD 中的操作返回错误。
PD2: AD 在 LDAPS 协议下。
你把这个贴在别处,但我认为在这里交流会更容易。我做了快速研究,发现了这个......
它不支持与密码策略相关的任何功能(例如,密码过期、帐户锁定、拒绝弱密码等)。此外,它不会隐藏以任何方式存储的密码,也不支持使用已经以某种形式编码的密码。 https://docs.ldap.com/ldap-sdk/docs/in-memory-directory-server.html
我在 Windows server 2016 中遇到一个 AD 问题,其密码策略如下:
现在在带有 UnboundID 的 Springboot 应用程序中,我发现的第一个问题是在我更改密码时忽略了最短密码使用期限规则,AD 没有错误,应用程序正确更改了密码,像这样:
public String changePassword(UserAndPasswordDTO credentials) {
// Create connection with active directory
final LDAPConnection connection = this.createADConnection(myHost, Integer.parseInt(port), dn, password);
if (connection != null) {
try {
// Properly encode the password. It must be enclosed in quotation marks,
// and it must use a UTF-16LE encoding.
logger.debug("Going to encode the password.");
byte[] quotedPasswordBytes = null;
try {
final String quotedPassword = '"' + credentials.getPassword() + '"';
quotedPasswordBytes = quotedPassword.getBytes("UTF-16LE");
} catch (final UnsupportedEncodingException uee) {
logger.error("Unable to encode the quoted password in UTF-16LE: "
+ StaticUtils.getExceptionMessage(uee));
}
// Search in active directory
SearchResult searchResult = connection.search("dc=" + domain + ",dc=com", SearchScope.SUB,
"sAMAccountName=" + credentials.getUsername());
List<SearchResultEntry> searchEntries = searchResult.getSearchEntries();
if (searchEntries.size() != 1) {
// The search didn't match exactly one entry.
logger.debug("Coming out of the change password service");
return "The search didn't match exactly one entry.";
} else {
// Get the dn value of the search
String userDN = searchEntries.get(0).getAttribute("distinguishedName").getValue();
// Attempt to modify the user password.
final Modification mod = new Modification(ModificationType.REPLACE, "unicodePwd",
quotedPasswordBytes);
connection.modify(userDN, mod);
logger.debug("Coming out of the change password service");
return "Password changed succesfully";
}
} catch (LDAPException e) {
logger.error("Error when try to search the user to modify his password");
logger.debug("Coming out of the change password service");
return "Error when try to search the user to modify his password";
} finally {
connection.close();
}
} else {
// Connection to AD is null
logger.debug("Connection to active directory is null");
logger.debug("Coming out of the change password service");
return "Active Directory connection error";
}
}
在这种情况下,也应该执行强制密码历史记录,但它允许重复密码,即将密码更改为 abc+000 连续 10 次以上,这意味着此密码历史记录不会生成错误或其他内容.所以,我的问题来了……为什么会这样?我该如何解决?任何帮助将不胜感激。谢谢!
PD:我测试了复杂性要求和长度规则,它们运行良好,为 AD 中的操作返回错误。 PD2: AD 在 LDAPS 协议下。
你把这个贴在别处,但我认为在这里交流会更容易。我做了快速研究,发现了这个...... 它不支持与密码策略相关的任何功能(例如,密码过期、帐户锁定、拒绝弱密码等)。此外,它不会隐藏以任何方式存储的密码,也不支持使用已经以某种形式编码的密码。 https://docs.ldap.com/ldap-sdk/docs/in-memory-directory-server.html