Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it possible to change the password via cfldap?

For some time I have been trying to change a password via cfldap. The connection is made over SSL and port 636 (cfssl_basic), tested within logins. I tried the following version of code:

<cfset password_new_retyp=charsetEncode(charsetDecode('"'&password_new_retyp&'"','UTF-16LE'),'UTF-8'))>
<!---encoded, decoded password --->
<cfldap action="modify"
    dn="#session.dn_addres#" --- i query this on login
    modifyType="replace"
    attributes="unicodePwd=#password_new_retyp#"
    server="xxxx.xxxx.xxx.xx" --- name of server thet i use on login
    secure = "cfssl_basic" 
    port=636
    username="#session.username#" ---username thet is used on login
    password="#password_old#">  ---- pass before changing

and error is somthing like this :

An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ].

I also tried this method without encoding password:

<cfldap action="modify"
    dn="#session.dn_addres#"
    modifyType="replace"
    attributes="password=#password_new_retyp#"
    server="xxxx.xxxx.xxx.xx"
    secure = "cfssl_basic"
    port=636
    username="#session.username#"
    password="#password_old#" >

and eror is the same:

An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ]. One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.

Any idea?

like image 602
Aleksandar Avatar asked Apr 24 '14 12:04

Aleksandar


1 Answers

It was a long and hard road but I got there. I hope this helps anyone else trying to change passwords and enforce LDAP password policy.

Source: Based on code from Edward Smith in archived CFTalk thread

<cftry>
    <cfscript>
        // You are going to use  the user's credentials to login to LDAP
        // Assuming your LDAP is set up to do so

        // Set up varibles
        newPassword = '"#newPassword#"';
        oldPassword = '"#currentPassword#"';
        // You would probably pass in a variable here, I typed it out so you would ss the format its expecting
        distinguishedName = "CN=theUser,OU=someOU,DC=DDDD,DC=CCC,DC=AAA,DC=ZZZ";
        newUnicodePassword = newPassword.getBytes("UnicodeLittleUnmarked");
        oldUnicodePassword = oldPassword.getBytes("UnicodeLittleUnmarked");
        ldapsURL = "ldap://#ldapServer#:#ldapPort#";

        // Create a Java Hashtable
        javaEnv = CreateObject("java", "java.util.Hashtable").Init();

        // Put stuff in the Hashtable
        javaEnv.put("java.naming.provider.url", ldapsURL);
        // The user's Full DN and Password
        javaEnv.put("java.naming.security.principal", "#distinguishedName#");
        javaEnv.put("java.naming.security.credentials", "#currentPassword#");
        javaEnv.put("java.naming.security.authentication", "simple");
        javaEnv.put("java.naming.security.protocol", "ssl");
        javaEnv.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");

        // Create a Java InitialDirContext
        javaCtx = CreateObject("java", "javax.naming.directory.InitialDirContext").Init(javaEnv);

        // Create two Java BasicAttributes
        oldBA = CreateObject("java", "javax.naming.directory.BasicAttribute").Init("unicodePwd", oldUnicodePassword);
        newBA = CreateObject("java", "javax.naming.directory.BasicAttribute").Init("unicodePwd", newUnicodePassword);

        /***********************************************
        *   Stick the attributes into an Java Array and tell it what to do with them
        *   Guess what? A CF Array = a Java Array
        *   1 = DirContext.ADD_ATTRIBUTE
        *   2 = DirContext.REPLACE_ATTRIBUTE
        *   3 = DirContext.REMOVE_ATTRIBUTE
        *  This is the big trick 
        *   If you login above as an admin then you only need to do a 2 Replace but will not run LDAP passoword policy (lenght, complexity, history... etc.)
        *       It will let you change password to anything
        *   If you want to check the LDAP password policy then you need to create the array and first Remove (3) then Add (1)
        *       Error Code 19 means something in the LDAP password policy was violated
        *           I haven't figured out how to read what the error is (like "password length too short" or "you have used this password in the past")
        *       Error Code 49 means invalid username/password
        ************************************************/
        mods = [
            createObject( "java", "javax.naming.directory.ModificationItem").init(3, oldBA),
            createObject( "java", "javax.naming.directory.ModificationItem").init(1, newBA)
        ]; 
        // Run it
        javaCtx.modifyAttributes(distinguishedName,mods);
        javaCtx.close();
    </cfscript>
    // Yeah! I could have scripted the cfcatch but this was easier.
    <cfcatch>
        <cfif find('error code 19',cfcatch.message)>
            <!--- I am using cfwheels so this just displays a nice error message on the next page --->
            <cfset flashInsert(error="New password does not meet requirements defined in the password rules.")>
        <cfelseif isDefined('cfcatch.RootCause.cause.Explanation') and find('error code 49', cfcatch.RootCause.cause.Explanation)>
            <!--- I am using cfwheels so this just displays a nice error message on the next page --->
            <cfset flashInsert(error="Current Password IS incorrect.")>
        <cfelse>    
            <!--- This just pukes the error up hard and uncaught --->
            <cfrethrow>
        </cfif>
        <cfset hasError = true>
    </cfcatch>  
</cftry>
like image 195
Mr.Black Avatar answered Sep 22 '22 01:09

Mr.Black