4 Replies Latest reply: Feb 28, 2011 2:37 AM by 802752 RSS

    Cannot Add User due to Password Issue

      I have tried code provided by SteveAD. Made tweaks to match our requirement and works beautifully.

      A user gets created and is added to the group. However the password doesn't work.

      Platform Windows AD 2008 Datacenter R2 Active Directory and working with Java 1.6.0_21.

      If I run with the line for TLS to negotiate it throws an exception

      "Problem creating object: javax.naming.ServiceUnavailableException: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090E09, comment: Error initializing SSL/TLS, data 0, v1db0"

      If I disable the line I get

      "Problem creating object: javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0"

      After much of googling (Will_NOT_Perform) says that it needs a TLS/SSL connection for password. Now I am not an AD or Java Expert, but to enable TLS through this policy on the AD Domain Controller:LDAP server signing requirement from none to "Require signing". Still I continue to get this error.

      I even tried the SSL code posted by Steve. But now I guess something is missing on Server side to accept SSL connection.

      Would appreciate if someone can help.

      String newQuotedPassword = "\"p@ssw0rd\"";  \\to match complexity of our password
      byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
      mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
      mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED)));
        • 1. Re: Cannot Add User due to Password Issue
          I am still stuck here. but when I try it on parent domain controller there is another error

          1. Problem creating object: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

          Now this means the parent domain controller in windows 2008 is running something with some TLS enable to ensure connection. The object is created and takes 2-5 seconds to establish a connection.

          code changes are

          String keystore = "/usr/software/jdk/jre/lib/security/cacerts";

          I tried to enable SSL(636) but bind fails.... which is for sure not running.

          Help is appreciated
          • 2. Re: Cannot Add User due to Password Issue
            Your problem is that your AD is using TLS with a certificate that is not trusted by your Java Runtime, probably because it is self-signed. You need to import that certificate into your java truststore (use the default cacerts file) using the keytool utility.
            • 3. Re: Cannot Add User due to Password Issue
              Finally managed to resolve the problem.

              I tried to do a lot of things reading forums. But this is what worked.

              1. create a key store using $ keytool -genkey -keystore /home/rohan/mystore -keysize 1024 -keyalg RSA --- created "mystore" key store. From the cert file I got the information on RSA and encryption of 1024 bits.

              2. import the certificate the keystore - $ keytool -import -keystore /home/rohan/mystore -alias primarydc -file DC2K8.cer

              3. In the code just added these lines

              env.put(Context.PROVIDER_URL, "ldap://myldapserver:389"); // Port 389 on Windows Domain Controller
              String keystore = "/home/rohan/mystore";

              4. Change of Password (code provided by stevead )

              StartTlsResponse tls = (StartTlsResponse)ctx.extendedOperation(new StartTlsRequest());
                             ModificationItem[] mods = new ModificationItem[2];
              String newQuotedPassword = "\""+password+"\"";
                             byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                             mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));
                             mods[1] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("userAccountControl",Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWD_NOTREQD)));
                             ctx.modifyAttributes(userName, mods);

              Useful links




              Thanks to stevead and handat for helping.

              • 4. Re: Cannot Add User due to Password Issue
                How to reset password with windows AD 2008 is answered. Need secure connection to complete the process.