0

我在 Windows Server 2016 中的 AD 出现问题,其密码策略如下:

用于测试目的的密码策略

现在在带有 UnboundID 的 Springboot 应用程序中,我发现的第一个问题是,在我更改密码时,最小密码年龄规则被忽略,AD 没有错误,应用程序正确更改密码,类似这样:

public String changePassword(UserAndPasswordDTO credentials) {
    // Create connection with active directory
    final LDAPConnection connection = this.createADConnection(myHost, Integer.parseInt(port), dn, password);
    if (connection != null) {
        try {
            // Properly encode the password. It must be enclosed in quotation marks,
            // and it must use a UTF-16LE encoding.
            logger.debug("Going to encode the password.");
            byte[] quotedPasswordBytes = null;
            try {
                final String quotedPassword = '"' + credentials.getPassword() + '"';
                quotedPasswordBytes = quotedPassword.getBytes("UTF-16LE");
            } catch (final UnsupportedEncodingException uee) {
                logger.error("Unable to encode the quoted password in UTF-16LE:  "
                        + StaticUtils.getExceptionMessage(uee));
            }
            // Search in active directory
            SearchResult searchResult = connection.search("dc=" + domain + ",dc=com", SearchScope.SUB,
                    "sAMAccountName=" + credentials.getUsername());
            List<SearchResultEntry> searchEntries = searchResult.getSearchEntries();
            if (searchEntries.size() != 1) {
                // The search didn't match exactly one entry.
                logger.debug("Coming out of the change password service");
                return "The search didn't match exactly one entry.";
            } else {
                // Get the dn value of the search
                String userDN = searchEntries.get(0).getAttribute("distinguishedName").getValue();
                // Attempt to modify the user password.
                final Modification mod = new Modification(ModificationType.REPLACE, "unicodePwd",
                        quotedPasswordBytes);
                connection.modify(userDN, mod);
                logger.debug("Coming out of the change password service");
                return "Password changed succesfully";
            }
        } catch (LDAPException e) {
            logger.error("Error when try to search the user to modify his password");
            logger.debug("Coming out of the change password service");
            return "Error when try to search the user to modify his password";
        } finally {
            connection.close();
        }
    } else {
        // Connection to AD is null
        logger.debug("Connection to active directory is null");
        logger.debug("Coming out of the change password service");
        return "Active Directory connection error";
    }
}

在这种情况下,应该也可以强制密码历史,但它允许重复密码,即连续 10 次以上将密码更改为 abc+000,这意味着此密码历史不会产生错误或什么的。所以,我的问题来了……为什么会这样?我该如何解决?任何帮助将不胜感激。谢谢!

PD:我测试了复杂性要求和长度规则,这些都运行良好,为 AD 中的操作返回错误。PD2:AD 在 LDAPS 协议下。

4

1 回答 1

0

您将其发布在其他地方,但我认为在这里交流会更容易。我进行了快速研究并发现了这一点……它不支持与密码策略相关的任何功能(例如,密码过期、帐户锁定、拒绝弱密码等)。此外,它不会隐藏以任何方式存储的密码,也不支持使用已经以某种形式编码的密码。https://docs.ldap.com/ldap-sdk/docs/in-memory-directory-server.html

于 2020-08-28T22:25:51.850 回答