4

I'm trying to reset Active Directory user's password without ssl. Find out through this link that the urge for ssl could be disabled in AD. But using this code:

import javax.naming.*; 
import javax.naming.directory.*; 
import javax.naming.ldap.*; 
import java.util.*; 
import java.security.*; 
public class ADConnection { 
DirContext ldapContext; 
String baseName = ",cn=users,DC=fabrikam,DC=com"; 
String serverIP = "10.1.1.7"; 
public ADConnection() { 
try { 
Hashtable ldapEnv = new Hashtable(11); 
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); 
ldapEnv.put(Context.PROVIDER_URL, "ldap://" + serverIP + ":389"); 
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple"); 
ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrator" + baseName); 
ldapEnv.put(Context.SECURITY_CREDENTIALS, "PA$$w0rd"); 
ldapContext = new InitialDirContext(ldapEnv); 
} 
catch (Exception e) { 
System.out.println(" bind error: " + e); 
e.printStackTrace(); 
System.exit(-1); 
} 
} 
public void updatePassword(String username, String password) { 
try { 
String quotedPassword = "\"" + password + "\""; 
char unicodePwd[] = quotedPassword.toCharArray(); 
byte pwdArray[] = new byte[unicodePwd.length * 2]; 
for (int i=0; i<unicodePwd.length; i++) { 
pwdArray[i*2 + 1] = (byte) (unicodePwd[i] >>> 8); 
pwdArray[i*2 + 0] = (byte) (unicodePwd[i] & 0xff); 
} 
ModificationItem[] mods = new ModificationItem[1]; 
mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, 
new BasicAttribute("UnicodePwd", pwdArray)); 
ldapContext.modifyAttributes("cn=" + username + baseName, mods); 
} 
catch (Exception e) { 
System.out.println("update password error: " + e); 
System.exit(-1); 
} 
} 
public static void main(String[] args) { 
ADConnection adc = new ADConnection(); 
adc.updatePassword("Java User2", pass@word3); 
} 
}

result in:

javax.naming.OperationNotSupported: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190F0A, problem 5003 (WILL_NOT_PERFORM)....

Assuming that we could trust Microsoft documents (password could be reset through non-ssl port 389), I'm suspecting java API and want to establish a direct connection to AD with sockets and run the reset password commands, actually looking for an alternative to javax.naming.*. Is that possible? anyone tried reseting AD password without ssl?

P.S: The Application Server and AD server are in a private-secure network and i'm not worried about sniffing.

Community
  • 1
  • 1
redbeard1970
  • 321
  • 4
  • 12
  • Java didn't deliver or devise that error code. AD did. Looking for an alternative to `javax.naming` isn't going to get you anywhere. Take a closer look at the rest of the error message. – user207421 Jan 11 '17 at 05:40
  • Thanks, that makes sense, but, what about all the "allow passwd op on unsecured connection" which Microsoft suggested? – redbeard1970 Jan 11 '17 at 10:15
  • 1
    You can reset the password over TCP 389, but first you need to issue a STARTTLS command which switches the context of the session to be encrypted. Either way you cannot get around the SSL requirement for password modifications in AD unless you modify the [dsHeuristics](https://msdn.microsoft.com/en-us/library/cc223560.aspx), which is way overkill for this when you could just issue a STARTTLS and blindly accept the cert (also risky...you should verify the cert is trusted, but it's better than nothing...). – ChadSikorra Jan 11 '17 at 20:45
  • thanks @ChadSikorra, but i have no idea how to send AD commands through TCP and could not find a tutorial or something. Is that still should be done through javax.naming? – redbeard1970 Jan 15 '17 at 13:58
  • The STARTTLS command isn't an AD thing, it's part of the LDAP protocol. I'm not a Java programmer, but this looks like an example: https://docs.oracle.com/javase/7/docs/api/javax/naming/ldap/StartTlsResponse.html – ChadSikorra Jan 15 '17 at 15:08
  • Use Jespa. The jespa.ldap.LdapAccount.setPassword method by default will use NTLM session security so no SSL is necessary. – squarewav Feb 28 '17 at 16:33

1 Answers1

1

Windows doesn't allow to change password in Active Directory over plain ldap. It requires to have SSL connection in order to change unicodePwd attribute where AD stores password.

Sometimes you may get exception like:

javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 00002077: SvcErr: DSID-03190F4C, problem 5003 (WILL_NOT_PERFORM), data 0 ]

Solution: Use SSL certificate

In order to modify this attribute, the client must have a 128-bit Transport Layer Security (TLS)/Secure Socket Layer (SSL) connection to the server. An encrypted session using SSP-created session keys using NTLM or Kerberos are also acceptable as long as the minimum key length is met.

Further reading

rogue lad
  • 2,413
  • 2
  • 29
  • 32