一段时间以来,我一直试图通过 cfldap
更改密码。 .连接是通过 SSL 和端口 636 ( cfssl_basic
) 建立的,在登录时进行了测试。我尝试了以下版本的代码:
<cfset password_new_retyp=charsetEncode(charsetDecode('"'&password_new_retyp&'"','UTF-16LE'),'UTF-8'))>
<!---encoded, decoded password --->
<cfldap action="modify"
dn="#session.dn_addres#" --- i query this on login
modifyType="replace"
attributes="unicodePwd=#password_new_retyp#"
server="xxxx.xxxx.xxx.xx" --- name of server thet i use on login
secure = "cfssl_basic"
port=636
username="#session.username#" ---username thet is used on login
password="#password_old#"> ---- pass before changing
错误是这样的:
An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ].
我也试过这种不编码密码的方法:
<cfldap action="modify"
dn="#session.dn_addres#"
modifyType="replace"
attributes="password=#password_new_retyp#"
server="xxxx.xxxx.xxx.xx"
secure = "cfssl_basic"
port=636
username="#session.username#"
password="#password_old#" >
和错误是一样的:
An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ]. One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.
任何的想法?
最佳答案
这是一条漫长而艰难的道路,但我到达了那里。我希望这可以帮助其他任何尝试更改密码和强制执行 LDAP 密码策略的人。
资料来源:基于 archived CFTalk thread 中 Edward Smith 的代码
<cftry>
<cfscript>
// You are going to use the user's credentials to login to LDAP
// Assuming your LDAP is set up to do so
// Set up varibles
newPassword = '"#newPassword#"';
oldPassword = '"#currentPassword#"';
// You would probably pass in a variable here, I typed it out so you would ss the format its expecting
distinguishedName = "CN=theUser,OU=someOU,DC=DDDD,DC=CCC,DC=AAA,DC=ZZZ";
newUnicodePassword = newPassword.getBytes("UnicodeLittleUnmarked");
oldUnicodePassword = oldPassword.getBytes("UnicodeLittleUnmarked");
ldapsURL = "ldap://#ldapServer#:#ldapPort#";
// Create a Java Hashtable
javaEnv = CreateObject("java", "java.util.Hashtable").Init();
// Put stuff in the Hashtable
javaEnv.put("java.naming.provider.url", ldapsURL);
// The user's Full DN and Password
javaEnv.put("java.naming.security.principal", "#distinguishedName#");
javaEnv.put("java.naming.security.credentials", "#currentPassword#");
javaEnv.put("java.naming.security.authentication", "simple");
javaEnv.put("java.naming.security.protocol", "ssl");
javaEnv.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
// Create a Java InitialDirContext
javaCtx = CreateObject("java", "javax.naming.directory.InitialDirContext").Init(javaEnv);
// Create two Java BasicAttributes
oldBA = CreateObject("java", "javax.naming.directory.BasicAttribute").Init("unicodePwd", oldUnicodePassword);
newBA = CreateObject("java", "javax.naming.directory.BasicAttribute").Init("unicodePwd", newUnicodePassword);
/***********************************************
* Stick the attributes into an Java Array and tell it what to do with them
* Guess what? A CF Array = a Java Array
* 1 = DirContext.ADD_ATTRIBUTE
* 2 = DirContext.REPLACE_ATTRIBUTE
* 3 = DirContext.REMOVE_ATTRIBUTE
* This is the big trick
* If you login above as an admin then you only need to do a 2 Replace but will not run LDAP passoword policy (lenght, complexity, history... etc.)
* It will let you change password to anything
* If you want to check the LDAP password policy then you need to create the array and first Remove (3) then Add (1)
* Error Code 19 means something in the LDAP password policy was violated
* I haven't figured out how to read what the error is (like "password length too short" or "you have used this password in the past")
* Error Code 49 means invalid username/password
************************************************/
mods = [
createObject( "java", "javax.naming.directory.ModificationItem").init(3, oldBA),
createObject( "java", "javax.naming.directory.ModificationItem").init(1, newBA)
];
// Run it
javaCtx.modifyAttributes(distinguishedName,mods);
javaCtx.close();
</cfscript>
// Yeah! I could have scripted the cfcatch but this was easier.
<cfcatch>
<cfif find('error code 19',cfcatch.message)>
<!--- I am using cfwheels so this just displays a nice error message on the next page --->
<cfset flashInsert(error="New password does not meet requirements defined in the password rules.")>
<cfelseif isDefined('cfcatch.RootCause.cause.Explanation') and find('error code 49', cfcatch.RootCause.cause.Explanation)>
<!--- I am using cfwheels so this just displays a nice error message on the next page --->
<cfset flashInsert(error="Current Password IS incorrect.")>
<cfelse>
<!--- This just pukes the error up hard and uncaught --->
<cfrethrow>
</cfif>
<cfset hasError = true>
</cfcatch>
</cftry>
关于coldfusion - 是否可以通过 cfldap 更改密码?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/23269273/