Password policy is not working completely in Windows server 2016 AD while using UnboundID in springboot app
I'm having issues with an AD in Windows server 2016 with a passsword policy like this one:
Now in a Springboot app with UnboundID the first issue that I've found is that the Minimum password age rule is being ignored while I change a password, there's no error coming from the AD and the app changes the password correctly, with something like this:
public String changePassword(UserAndPasswordDTO credentials) {
// Create connection with active directory
final LDAPConnection connection = this.createADConnection(myHost, Integer.parseInt(port), dn, password);
if (connection != null) {
try {
// Properly encode the password. It must be enclosed in quotation marks,
// and it must use a UTF-16LE encoding.
logger.debug("Going to encode the password.");
byte[] quotedPasswordBytes = null;
try {
final String quotedPassword = '"' + credentials.getPassword() + '"';
quotedPasswordBytes = quotedPassword.getBytes("UTF-16LE");
} catch (final UnsupportedEncodingException uee) {
logger.error("Unable to encode the quoted password in UTF-16LE: "
+ StaticUtils.getExceptionMessage(uee));
}
// Search in active directory
SearchResult searchResult = connection.search("dc=" + domain + ",dc=com", SearchScope.SUB,
"sAMAccountName=" + credentials.getUsername());
List<SearchResultEntry> searchEntries = searchResult.getSearchEntries();
if (searchEntries.size() != 1) {
// The search didn't match exactly one entry.
logger.debug("Coming out of the change password service");
return "The search didn't match exactly one entry.";
} else {
// Get the dn value of the search
String userDN = searchEntries.get(0).getAttribute("distinguishedName").getValue();
// Attempt to modify the user password.
final Modification mod = new Modification(ModificationType.REPLACE, "unicodePwd",
quotedPasswordBytes);
connection.modify(userDN, mod);
logger.debug("Coming out of the change password service");
return "Password changed succesfully";
}
} catch (LDAPException e) {
logger.error("Error when try to search the user to modify his password");
logger.debug("Coming out of the change password service");
return "Error when try to search the user to modify his password";
} finally {
connection.close();
}
} else {
// Connection to AD is null
logger.debug("Connection to active directory is null");
logger.debug("Coming out of the change password service");
return "Active Directory connection error";
}
}
In this scenario, should be working Enforce password history too, but it allows to repeat the password, i.e. change password to abc+000 more than 10 consecutive times, meaning that this password history is not generating an error or something. So, here comes my questions... Why is it happening this? and how can i solve it? Any help will appreciated. Thanks!
PD: I tested the Complexity requirements and length rule, and these are working good returning an error for the action in the AD. PD2: The AD is under LDAPS protocol.
You posted this somewhere else but I thought it would be easier to communicate here. I did quick research and found this... It does not provide support for any features related to password policy (e.g., password expiration, account lockout, rejecting weak passwords, etc.). Further, it does not obscure passwords stored in any way, nor does it support the use of passwords that have already been encoded in some form. https://docs.ldap.com/ldap-sdk/docs/in-memory-directory-server.html
- Failed to auto-configure a DataSource: 'spring.datasource.url' is not specified
- Why are there 2 Security Filter Chains defined for my Spring Boot Application?
- How to log request and response bodies in Spring WebFlux
- save(...) must not be null in spring boot tests with Kotlin
- Spring's @RequestParam with Enum
- @KafkaHandler in the consumer doesn't consume the topic message as an object class, only as a string
- Request Matcher not working to permit allowed path
- Java Spring API NoClassDefFoundError: javax/persistence/EntityManagerFactory
- Quartz missing Jobs executions
- Are there tools like Jqwik for easily testing Google API's time class? (DateTime, EventDateTime...etc)
- How to Sync Google Calendar Events Using Push Notifications?
- org.hibernate.HibernateException: Access to DialectResolutionInfo cannot be null when 'hibernate.dialect' not set
- Rest Spring boot converts a response with duplicate object to id of that object
- Criteria Builder Multiple Joins
- How to avoid joining table when querying by a foreign key?
- How to use eureka.client.service-url: property of netflix eureka in spring cloud
- How to enable Spring Boot Live Dev Tools on IntelliJ 2021.2 to rebuild classes after modifications and deploy changes to server?
- Why does the main Spring Boot application always trigger PMD's HideUtilityClassConstructorCheck?
- Spring Boot JmsTemplate not taking into account replyTo in Message
- Test Unit Spring boot: Unable to register mock bean
- Spring Security 6 - how to handle InvalidBearerTokenExeption
- Spring Security issue with JWT: Cannot subclass final class JwtAuthenticationProvider
- Spring @Sql Annotations, possible to run once before all tests?
- Can apm-agent-java plugin be placed inside the application JAR file?
- Springboot mySQL Failed to determine a suitable driver class
- Java springboot Validation is not working for me
- How to validate and sanitize HTTP Get with Spring Boot?
- Unable to resolve name [org.hibernate.dialect.MYSQL5Dialect] as strategy [org.hibernate.dialect.Dialect]
- Spring Boot - no log file written (logging.file is not respected)
- Handling Internal Server Error When OAuth Issuer Is Not Available in WebFluxSecurity