use of org.ldaptive.extended.PasswordModifyRequest in project cas by apereo.
the class LdapUtils method executePasswordModifyOperation.
/**
* Execute a password modify operation.
*
* @param currentDn the current dn
* @param connectionFactory the connection factory
* @param oldPassword the old password
* @param newPassword the new password
* @param type the type
* @return true /false
* <p>
* AD NOTE: Resetting passwords requires binding to AD as user with privileges to reset other users passwords
* and it does not validate old password or respect directory policies such as history or minimum password age.
* Changing a password with the old password does respect directory policies and requires no account operator
* privileges on the bind user. Pass in blank old password if reset is in order (e.g. forgot password) vs.
* letting user change their own (e.g. expiring) password.
*/
public static boolean executePasswordModifyOperation(final String currentDn, final ConnectionFactory connectionFactory, final String oldPassword, final String newPassword, final AbstractLdapProperties.LdapType type) {
try {
val connConfig = connectionFactory.getConnectionConfig();
val secureLdap = connConfig.getLdapUrl() != null && !connConfig.getLdapUrl().toLowerCase().contains("ldaps://");
if (connConfig.getUseStartTLS() || secureLdap) {
LOGGER.warn("Executing password modification op under a non-secure LDAP connection; " + "To modify password attributes, the connection to the LDAP server {} be secured and/or encrypted.", type == AbstractLdapProperties.LdapType.AD ? "MUST" : "SHOULD");
}
if (type == AbstractLdapProperties.LdapType.AD) {
LOGGER.debug("Executing password change op for active directory based on " + "[https://support.microsoft.com/en-us/kb/269190]" + "change type: [{}]", StringUtils.isBlank(oldPassword) ? "reset" : "change");
val operation = new ModifyOperation(connectionFactory);
val response = StringUtils.isBlank(oldPassword) ? operation.execute(new ModifyRequest(currentDn, new AttributeModification(AttributeModification.Type.REPLACE, new UnicodePwdAttribute(newPassword)))) : operation.execute(new ModifyRequest(currentDn, new AttributeModification(AttributeModification.Type.DELETE, new UnicodePwdAttribute(oldPassword)), new AttributeModification(AttributeModification.Type.ADD, new UnicodePwdAttribute(newPassword))));
LOGGER.debug("Result code [{}], message: [{}]", response.getResultCode(), response.getDiagnosticMessage());
return response.getResultCode() == ResultCode.SUCCESS;
}
LOGGER.debug("Executing password modification op for generic LDAP");
val operation = new ExtendedOperation(connectionFactory);
val response = operation.execute(new PasswordModifyRequest(currentDn, StringUtils.isNotBlank(oldPassword) ? oldPassword : null, newPassword));
LOGGER.debug("Result code [{}], message: [{}]", response.getResultCode(), response.getDiagnosticMessage());
return response.getResultCode() == ResultCode.SUCCESS;
} catch (final Exception e) {
LoggingUtils.error(LOGGER, e);
}
return false;
}
Aggregations