问题描述
我在Windows服务器2016中的AD遇到这样的密码策略问题:
现在在具有UnboundID的Springboot应用程序中,我发现的第一个问题是更改密码时忽略了“最小密码使用期限”规则,没有错误来自AD,并且该应用程序正确更改了密码,像这样的东西:
public String changePassword(UserAndPasswordDTO credentials) {
// Create connection with active directory
final LDAPConnection connection = this.createADConnection(myHost,Integer.parseInt(port),dn,password);
if (connection != null) {
try {
// Properly encode the password. It must be enclosed in quotation marks,// and it must use a UTF-16LE encoding.
logger.debug("Going to encode the password.");
byte[] quotedPasswordBytes = null;
try {
final String quotedPassword = '"' + credentials.getpassword() + '"';
quotedPasswordBytes = quotedPassword.getBytes("UTF-16LE");
} catch (final UnsupportedEncodingException uee) {
logger.error("Unable to encode the quoted password in UTF-16LE: "
+ StaticUtils.getExceptionMessage(uee));
}
// Search in active directory
SearchResult searchResult = connection.search("dc=" + domain + ",dc=com",SearchScope.SUB,"sAMAccountName=" + credentials.getUsername());
List<SearchResultEntry> searchEntries = searchResult.getSearchEntries();
if (searchEntries.size() != 1) {
// The search didn't match exactly one entry.
logger.debug("Coming out of the change password service");
return "The search didn't match exactly one entry.";
} else {
// Get the dn value of the search
String userDN = searchEntries.get(0).getAttribute("distinguishedname").getValue();
// Attempt to modify the user password.
final Modification mod = new Modification(ModificationType.REPLACE,"unicodePwd",quotedPasswordBytes);
connection.modify(userDN,mod);
logger.debug("Coming out of the change password service");
return "Password changed succesfully";
}
} catch (LDAPException e) {
logger.error("Error when try to search the user to modify his password");
logger.debug("Coming out of the change password service");
return "Error when try to search the user to modify his password";
} finally {
connection.close();
}
} else {
// Connection to AD is null
logger.debug("Connection to active directory is null");
logger.debug("Coming out of the change password service");
return "Active Directory connection error";
}
}
在这种情况下,也应该也可以执行密码历史记录,但是它允许重复密码,即连续十次以上将密码更改为abc + 000,这意味着此密码历史记录不会产生错误或其他错误。所以,我的问题来了...为什么会这样呢?而我该如何解决呢?任何帮助将不胜感激。谢谢!
PD:我测试了复杂性要求和长度规则,它们工作正常,返回了AD中操作的错误。 PD2:AD位于LDAPS协议下。
解决方法
您在其他地方发布了此内容,但我认为在此处进行交流会更容易。我进行了快速研究,发现了这一点... 它不支持与密码策略相关的任何功能(例如,密码过期,帐户锁定,拒绝弱密码等)。此外,它不会掩盖以任何方式存储的密码,也不支持使用已经以某种形式编码的密码。 https://docs.ldap.com/ldap-sdk/docs/in-memory-directory-server.html