[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

How to update the password of a user in Activie Directory by JNDI....

Posted on 2004-10-25
21
Medium Priority
?
337 Views
Last Modified: 2013-11-24
Hello there,

  I have to update the password of a user in Active Directory by JDNI. I've heart thata I can change a user's password by JNDI if I connect the AD via SSL.

  I have set up a CA(enterprise root) in windows 2000 server and got a certificate by sending a request(csr) from http://localhost/CertSrv/.

  But I can't create a connection to the AD server. The exception message is "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found".

  Below is my code to connect connect web server and AD. The first part works fine. I can create a connection and get response from web server via SSL. But the second parts fails. The exception message is stated above.

  Is there any one can give me some clue or procedures to do this? TIA...

-----------------------------------------------------------------------------------------------------------------------------------------

        System.setProperty("javax.net.ssl.trustStore", "d:\\temp\\test.keystore");

        System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

        try {

            SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();

            SSLSocket socket = (SSLSocket)factory.createSocket("127.0.0.1", 443);

            socket.startHandshake();

            java.io.PrintWriter out = new java.io.PrintWriter(
                          new java.io.BufferedWriter(
                          new java.io.OutputStreamWriter(
                               socket.getOutputStream())));

            out.println("GET / HTTP/1.0");
            out.println();
            out.flush();

            /*
             * Make sure there were no surprises
             */
            if (out.checkError())
            System.out.println(
                "SSLSocketClient:  java.io.PrintWriter error");

            /* read response */
            java.io.BufferedReader in = new java.io.BufferedReader(
                        new java.io.InputStreamReader(
                        socket.getInputStream()));

            String inputLine;
            while ((inputLine = in.readLine()) != null)
            System.out.println(inputLine);

            in.close();
            out.close();
            socket.close();

        }catch(java.io.IOException ioe) {

            ioe.printStackTrace();

        }

        Hashtable env = new Hashtable();

        env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");

        env.put(Context.PROVIDER_URL, "ldap://127.0.0.1:636");

        env.put(Context.SECURITY_PROTOCOL, "ssl");

        env.put(Context.SECURITY_AUTHENTICATION, "simple");

        env.put(Context.SECURITY_PRINCIPAL, "cn=administrator, CN=Users,DC=mycompany,DC=com");

        env.put(Context.SECURITY_CREDENTIALS, "hahaha");

        DirContext ctx = null;

        try {

            ctx = new InitialDirContext(env);

            System.out.println(ctx);
        } catch (NamingException ne) {

            ne.printStackTrace();

        }


Regards,
0
Comment
Question by:hsinchinwang
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 8
21 Comments
 
LVL 13

Expert Comment

by:petmagdy
ID: 12398296
please go to this URL and make sure u fullfill the << client requirements >> section

http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
0
 

Author Comment

by:hsinchinwang
ID: 12398420
Yes...

I have used "keytool " to import a certificate from CA. But the strange thing was as I said, I can connect IIS with SSL, but I can't connect AD with SSL. (As the code listed above)
0
 
LVL 13

Expert Comment

by:petmagdy
ID: 12398457
Just some check questions:

r u using JDK 1.4.1?
does the Normal Non SSL LDAP connection works?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 13

Expert Comment

by:petmagdy
ID: 12398460
hay I got it use:

ldaps://127.0.0.1:636

not ldap:////127.0.0.1:636

missing S
0
 

Author Comment

by:hsinchinwang
ID: 12407116
Hi, petmagdy

    I am using jdk 1.4.2_03 and norml ldap connection works fine(port 389)

    and I've tried to use "ldps://127.0.0.1:636", but still got

    "javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found"

Regards,
0
 
LVL 13

Expert Comment

by:petmagdy
ID: 12408565
try:

ldaps://hostname:636
0
 

Author Comment

by:hsinchinwang
ID: 12408671
Hello petmagdy,

  have tried to use the hostname, but still got the same exception.

  Thanks for your help...

Regards,
0
 
LVL 13

Expert Comment

by:petmagdy
ID: 12408691
Is the normal non SSL ldap connection working?
0
 

Author Comment

by:hsinchinwang
ID: 12408915
Yes...works fine(port 389)
0
 
LVL 13

Expert Comment

by:petmagdy
ID: 12409218
can u please send me the error stack trace?
0
 

Author Comment

by:hsinchinwang
ID: 12410712
Sure, below is the stack trace...

--------------------- IIS test ---------------------------------------------

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Tue, 26 Oct 2004 08:55:50 GMT
Connection: Keep-Alive
Content-Length: 1129
Content-Type: text/html
Set-Cookie: ASPSESSIONIDCSDDTRBA=MBKNKONCEJJEMGEKOKMDKEAF; path=/
Cache-control: private


<!--
        WARNING!
        Please do not alter this file. It may be replaced if you upgrade your web server
     If you want to use it as a template, we recommend renaming it, and modifying the new file.
        Thanks.
-->


<HTML>

<HEAD>
<META HTTP-EQUIV="Content-Type" Content="text-html; charset=big5">

      

<title id=titletext>&#27491;&#22312;&#24314;&#35373;&#20013;</title>
</HEAD>
      <body bgcolor=white>
      <TABLE>
      <TR>
      <td id="tableProps" width=70 valign=top align=center>
      <IMG id="pagerrorImg" SRC="pagerror.gif" width=36 height=48>  
      <TD id="tablePropsWidth" width=400>
      
      <h1 id=errortype style="font:14pt/16pt &#26032;&#32048;&#26126;&#39636;; color:#4e4e4e">
      <id id="Comment1"><!--Problem--></id><id id="errorText">&#27491;&#22312;&#24314;&#35373;&#20013;</id></h1>
      <id id="Comment2"><!--Probable causes:<--></id><id id="errordesc"><font style="font:9pt/12pt &#26032;&#32048;&#26126;&#39636;; color:black">
      &#24744;&#24819;&#35201;&#36899;&#25509;&#30340;&#31449;&#21488;&#30446;&#21069;&#27794;&#26377;&#38928;&#35373;&#38913;&#12290;&#21487;&#33021;&#27491;&#22312;&#36914;&#34892;&#21319;&#32026;&#12290;
      </id>
      <br><br>
      
      <hr size=1 color="blue">
      
      <br>
      <ID  id=term1>
      &#35531;&#31245;&#24460;&#20877;&#35430;&#27492;&#31449;&#21488;&#12290;&#20551;&#33509;&#21839;&#38988;&#20173;&#28982;&#23384;&#22312;&#65292;&#35531;&#33287; Web &#31449;&#21488;&#31649;&#29702;&#21729;&#32879;&#32097;&#12290;
      </ID>
      <P>
      
      </ul>
      <BR>
      </TD>
      </TR>
      </TABLE>
      </BODY>


</HTML>





------------------------------AD Test---------------------------------


javax.naming.CommunicationException: simple bind failed: 192.168.3.108:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found]
      at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:198)
      at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2640)
      at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:290)
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
      at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
      at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
      at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
      at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:662)
      at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:243)
      at javax.naming.InitialContext.init(InitialContext.java:219)
      at javax.naming.InitialContext.<init>(InitialContext.java:195)
      at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:80)
      at com.wnjsoft.dcc.test.ADTest.getContext(ADTest.java:105)
      at com.wnjsoft.dcc.test.ADTest.main(ADTest.java:118)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at com.intellij.rt.execution.application.AppMain.main(AppMain.java:78)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: No trusted certificate found
      at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_az.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
      at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
      at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
      at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
      at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
      at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:390)
      at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:334)
      at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:193)
      ... 18 more
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
      at sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:304)
      at sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:107)
      at sun.security.validator.Validator.validate(Validator.java:202)
      at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(DashoA6275)
      at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(DashoA6275)
      ... 30 more
0
 
LVL 13

Expert Comment

by:petmagdy
ID: 12410861
Ok I am trying with u barry with me please, please try to do this:

First: comment the following and try:

       System.setProperty("javax.net.ssl.trustStore", "d:\\temp\\test.keystore");

        System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

Second: r u running over which App. Server or which Servlet engine?
0
 
LVL 13

Expert Comment

by:petmagdy
ID: 12410885
one more thing remember the right LDAP lookup is "ldaps://hostname:636"
0
 

Author Comment

by:hsinchinwang
ID: 12412319

Still got the same exception after commenting the codes...

The code I wrote is a stand-alone app...not running over any app server...
0
 
LVL 13

Expert Comment

by:petmagdy
ID: 12412524
ok in the URL: http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html

their is a third way to connect using ur certificate, please try it under the section:

http://java.sun.com/products/jndi/tutorial/ldap/security/ssl.html
0
 

Author Comment

by:hsinchinwang
ID: 12442647
Hi,

   I've tried the third way(SASL?). Still got the same exception.

0
 
LVL 13

Accepted Solution

by:
petmagdy earned 2000 total points
ID: 12442667
oooooooooofffffffffffffffffffffffffff :(

Dammmm Active directory

Frankly to say I did work arrounded this same situation 4 years ago by using Microsft ADSI Com components, and called it from Java using JNI
0
 

Author Comment

by:hsinchinwang
ID: 12443197
Thanks for you time, petmagdy....

0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question