7 02 2012
Active Directory Password Reset in Java
We use a Java application, accessed through Peoplecode within Enterprise Portal to change user passwords in LDAP. Currently, we’re running a SunOne LDAP server, whose rights were recently acquired by Oracle. A decision has been made to replace SunOne with Microsoft Active Directory. This change presented several challenges, but today I’ll mention specifically the obstacles I faced to reset AD passwords using Java.
Tools & Resources used
Hurdle #1: SSL libraries
The existing Java code for establishing a secure connection to SunOne uses older libraries from novell:
For some reason, I could not form an SSL connection to AD using this library. It wasn’t until I switched to JNDI that I was able to successfully bind to AD over SSL.
Hurdle #2: Resetting passwords
In AD, an error will be thrown if an attempt is made to perform a “restricted operation” without having the proper credentials or binding over SSL. Becoming familiar with the various error codes helped tremendously. Now to the gritty stuff…
SunOne and AD store passwords differently. From what I read/encountered with SunOne, a plain text password could be used to REPLACE the value in the
userPassword attribute, and SunOne will take care of the encryption itself. This is not the case for AD. I spent plenty of time researching the web how to encrypt AD passwords before updating the
UnicodePwd attribute. Fortunately, I came across a website that provided the source code to encrypt passwords in a manner that AD liked. Thanks Jeremy Mortis!