Carl Henderson

My contribution

Active Directory Password Reset in Java

We use a Java application, accessed through Peoplecode within Enterprise Portal to change user passwords in LDAP. Currently, we’re running a SunOne LDAP server, whose rights were recently acquired by Oracle. A decision has been made to replace SunOne with Microsoft Active Directory. This change presented several challenges, but today I’ll mention specifically the obstacles I faced to reset AD passwords using Java.

Tools & Resources used

  1. Eclipse IDE
  2. AD Explorer
  3. AD Error codes

Hurdle #1: SSL libraries

The existing Java code for establishing a secure connection to SunOne uses older libraries from novell:

com.novell.ldap.LDAPConnection(new LDAPJSSESecureSocketFactory());

For some reason, I could not form an SSL connection to AD using this library. It wasn’t until I switched to JNDI that I was able to successfully bind to AD over SSL.

Hurdle #2: Resetting passwords

In AD, an error will be thrown if an attempt is made to perform a “restricted operation” without having the proper credentials or binding over SSL. Becoming familiar with the various error codes helped tremendously. Now to the gritty stuff…

SunOne and AD store passwords differently. From what I read/encountered with SunOne, a plain text password could be used to REPLACE the value in the userPassword attribute, and SunOne will take care of the encryption itself. This is not the case for AD. I spent plenty of time researching the web how to encrypt AD passwords before updating the UnicodePwd attribute. Fortunately, I came across a website that provided the source code to encrypt passwords in a manner that AD liked. Thanks Jeremy Mortis!

, , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>