C# LDAP 用户更改密码失败。 SSL连接是必须的吗?

C# LDAP user change password failed. Is SSL connection must?

我正在编写 ASP.NET Core 5 Web API(平台独立)来更改 LDAP 用户密码。我正在使用库 Novell.Directory.Ldap.

这是我的代码:

var ldapHost = "192/168.*.*";
var loginDN = "CN=something,DC=something";   //loginDn of the user itself or admin 
var opassword = "Abcd@11111111";  //oldpassword
var npassword = "Xyzw@22222222";  //newpassword
npassword =  '"' + npassword + '"';

LdapConnection conn = new LdapConnection();

Console.WriteLine("Connecting to:" + ldapHost);

conn.Connect(ldapHost, LdapConnection.DefaultPort);
conn.Bind(loginDN, opassword);

LdapModification[] modifications = new LdapModification[2];
LdapAttribute deletePassword = new LdapAttribute("userPassword", opassword);
modifications[0] = new LdapModification(LdapModification.Delete, deletePassword);

LdapAttribute addPassword = new LdapAttribute("userPassword", npassword);
modifications[1] = new LdapModification(LdapModification.Add, addPassword);

conn.Modify(loginDN, modifications);

我正在针对 Windows AD 域以及 Linux OpenLDAP 测试此代码。两个 LDAP 服务器的用户都具有 属性 userPassword 属性。

当我 运行 此代码 LdapModification.ADD 抛出一个错误 No such attribute userPassword. 当我试图找到解决方案时我让人们使用属性 unicodePwd,但它需要一个SSL 连接。

AD 域和 Open LDAP 的 SSL 连接是否必须?或者如何解决上述错误?请帮忙。

虽然AD有一个userPassword属性,它只是一个指向unicodePwd属性的指针,这才是真正的密码属性。但是 userPassword 并不总是有效,如 the documentation 中所述。对于 Active Directory,您最好直接使用 unicodePwd

The documentation for unicodePwd says that you require either SSL or SASL encryption to set the attribute. SASL would usually be done with Kerberos. If you were using DirectoryEntry, that's easily done by specifying AuthenticationTypes.Sealing. With Novell.Directory.Ldap, I don't know if that's possible, and this open issue 表明它不是(还)。

除非您愿意切换到使用 Sytem.DirectoryServices(在 .NET Core 中,这只会在 Windows 上将您锁定到 运行 您的应用程序),那么我认为你被卡住需要 SSL。

unicodePwd 属性也需要非常特殊的格式。文档说:

the DC requires that the password value be specified in a UTF-16 encoded Unicode string containing the password surrounded by quotation marks, which has been BER-encoded as an octet string per the Object(Replica-Link) syntax.

在 C# 中,可以像这样轻松完成:

Encoding.Unicode.GetBytes("\"NewPassword\"")