[LDAP] javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

Spring에서 Ldap 계정 비밀번호 수정 시 아래와 같은 오류가 발생하였습니다.

[LDAP: error code 53 - 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ]; nested exception is javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
 ]; remaining name 'CN=XXX'

 

원인은 ldap 테스트 중이라 SSL 인증서를 등록하지 않아 발생한 이슈였습니다.

기타 원인은 아래 설명을 확인해주세요.

 

 

error code 53

The LDAP server cannot process the request because of server-defined restrictions. This error is returned for the following reasons:

• The add entry request violates the LDAP Server's structure rules
• The modify attribute request specifies attributes that users cannot modify
• Password restrictions prevent the action
• Connection restrictions prevent the action

This error is typically caused by attempting to make changes to a read-only directory. There can be several reasons the directory is read-only:

• The directory has been configured as a read-only directory
• The bind account may not have permissions to make changes on the server
• The server may impose additional restrictions. For example, Active Directory may require a secure connection to allow changes

 

 

Known Causes

1. This is caused when you don't use SSL in your LDAP connection and AD enforces SSL connection.
   
   
2. There are password policies in the AD environment

 

Resolution

1. If the problem is caused by SSL, proceed on configuring the LDAP with SSL.
   
   
2. If the issue is caused due to password policies, contact the LDAP administrator for policy information.

 

 

 

Change a Windows Active Directory and LDS user password through LDAP

The password is stored in the AD and LDS database on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified; it cannot be added on object creation or queried by a search.

In order to modify this attribute, the client must have a 128-bit Transport Layer Security (TLS)/Secure Socket Layer (SSL) connection to the server. An encrypted session using SSP-created session keys using NTLM or Kerberos are also acceptable as long as the minimum key length is met.

For this connection to be possible using TLS/SSL:

• The server must possess a server certificate for a 128-bit RSA connection.
• The client must trust the certificate authority (CA) that generated the server certificate.
• Both client and server must be capable of 128-bit encryption.

The syntax of the unicodePwd attribute is octet-string; however, the directory service expects that the octet-string will contain a UNICODE string (as the name of the attribute indicates). This means that any values for this attribute passed in LDAP must be UNICODE strings that are BER-encoded (Basic Encoding Rules) as an octet-string. In addition, the UNICODE string must begin and end in quotes that are not part of the desired password.

There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal user change password operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.

The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password becomes the new password, regardless of what the old password was.

 

public void modifyPassword(String userId, String newPassword) {

    LdapQuery qry = LdapQueryBuilder.query().where(AD_ID_ATTR).is(empId);
    Object empVO = ldapTemplatePool.findOne(qry, ADEmpSchemaVO.class);

    DirContextOperations context = ldapTemplatePool.lookupContext(((ADEmpSchemaVO)empVO).getDn());
    
    ModificationItem[] mods = new ModificationItem[1];

    String newQuotedPassword = "\"" + newPassword + "\"";
    byte[] newUnicodePassword = newQuotedPassword.getBytes(StandardCharsets.UTF_16LE.name());

    mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", newUnicodePassword));

    ldapTemplatePool.modifyAttributes(context.getDn(), mods);
}

 

 

 

[Reference]

• https://docs.microsoft.com/ko-KR/troubleshoot/windows/win32/change-windows-active-directory-user-password
• https://confluence.atlassian.com/crowdkb/cannot-change-user-password-when-using-ad-with-read-and-write-permissions-693898899.html
• https://stackoverflow.com/questions/6797955/how-do-i-resolve-will-not-perform-ms-ad-reply-when-trying-to-change-password-i
• https://confluence.atlassian.com/kb/common-user-management-errors-820119309.html