Here are a few comments/notes from the experience.
- I'm using Java for this
- I'm currently using Spring-ldap (1.3.x); works "ok sort of". I'm probably going to have to rip it out and do this manually though. See note after this list for info on the problem.
- When using a service account to make administrative password changes; make sure the service account has the correct rights for setting passwords. The example here is using a service account to make the changes.
- You can set pwdLastSet to "0" to force a user to set their password on next login. This requires its own rights in MS AD.
- You MUST use LDAPS connections to change the password; it will not work otherwise.
The following is how it is setup right now though - using Spring LdAP.. There are a number of examples like this floating around the internet.
Once you have a Spring LdapTemplate instance, the code for a password change is like this;
final ModificationItem [] mods = new ModificationItem[]
{
new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("unicodePwd", ("\"" + password + "\"").getBytes("UTF-16LE")))
};
ldapTemplate.modifyAttributes(userDN, mods);
The code to cause a user to require changing their password on next login is;
final ModificationItem[] mods = new ModificationItem[]
{
new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
new BasicAttribute("pwdLastSet", "0"))
};
ldapTemplate.modifyAttributes(userDN, mods);
There are only 2 values you can set for pwdLastset; 0 and -1. Using 0 basically forces a user to change their password and a -1 seems to make it seem like it was just set.
Nothing real exciting with this but it does help us move into best practices.
No comments:
Post a Comment