Changing Active Directory user password - language-agnostic

How can I change an Active Directory user password using Directory Services without knowing old password?

You are probably searching the SetPassword method, which you should invoke on a DirectoryEntry object.
Check the "Reset a User's Password" example here: Howto: (Almost) Everything In Active Directory via C#.
EDIT:
If you are having problems with the directory entry being null, you are probably passing a wrong path. The path should be something like this:
DirectoryEntry entry = new DirectoryEntry("LDAP://CN=johndoe,CN=Users,DC=acme,DC=com");

There is a new library introduced in .net 3.5 called System.DirectoryServices.AccountManagement. It simplifies user management stuff.
public void ChangePassword(string dn, string newPassword)
{
using (var context = new PrincipalContext(ContextType.Domain))
{
using (var user = UserPrincipal.FindByIdentity(context, IdentityType.DistinguishedName, dn))
{
user.SetPassword(newPassword);
}
}
}

As an MCSE, I do password resets many times a day so I can tell you something about this.
There are basically two operations you can perform with an Active Directory password - a change, and a reset. Changing a password requires that you know the current password on an account, but resetting a password does not require you to know the current password on an account, so in a way, in order to change a user's password without knowing the password, you really need to perform a password reset operation on the account.
By the way, i believe there are two seperate Active Directory extended rights that control each of these permissions, but I am not intimately familiar with them, as I am a delegated admin who is delegated thos abillity.
So, please keep in mind that any attempts to reset a user's password will fail if you don't have the reset password right granted to you on the target user account.

Related

CakePHP 3: Encrypt/decrypt password

How can I show the decrypted user password in an edit form?
I am using DefaultPasswordHasher for Hashing passwords while registration of users using this:
protected function _setPassword($password) {
return (new DefaultPasswordHasher)->hash($password);
}
It works well and the password is encrypted...
But when I used user table in view page and edit page it shows the encrypted password. So how can I decrypt the password in the controller and when edit page it also decrypt and store in database in CakePHP 3.x?
Simple answer is: You can't
The whole point of hashing is that you cannot reverse engineer the password. So that when your database is hacked or leaked no harm can be done with the passwords.
Any website showing you your own password has a severe security problem and I would not use it.
There is also no point in showing the encrypted password. Editing a password is not needed, you just overwrite the old one (when they can still provide their old one ofc), and if one of your user forget their own password you should provide them with a recovery system using their email for example.

Spring Security Authenticates User with old credentials until Web App Restart

Hi there I am developing a web app and I am using Spring Security. In the app the user can change his/her details (username, password and some other fields). I am using a custom User Details Class for this and my Spring Security configuration is the default (keep in mind no cache method is declared, so I suppose NullUserCache is used). All the user records come from DataBase using JDBC Connector (MySQL).
Now when a user changes his/her info or/and username-password those changes update the corresponding columns in DataBase. So now the DB is updated. Because I have not implemented setters in my Custom User Details Class, I force the user to logout log out automatically. But now he/she can login using both the new username and the old one.
Suppose now that the user changed something on the other fields (for example if the age was changed from 20 to 21). When user logins using the new username I can see 21. If user logins using the old username I can see 20!.
I guess Spring Security now creates a new User (during login) which didn't exist and the old one is never removed!
So after reading many posts in the web and trying the corresponding solutions I 'm still unable to fix that.
What I have used (in the controller that is responsible for account editing):
if (authenticate != null){
new SecurityContextLogoutHandler().logout(request, response, authenticate);
}
SecurityContextHolder.getContext().setAuthentication(null);
SecurityContextHolder.clearContext();
What I understand and believe is that Spring Security holds somewhere (I thought User Cache) the username, maybe along with the password and now it sees the old username as a different User. The only way to prevent this from happening is to restart the app. After restarting the user only logins using the new username.
Is there any way I can remove that "user"-username? Any suggestion would be usefull, I am really confused and the only case close to mine was this but his problem was with the oracle connector using connection cache..
UPDATE problem tracked down to a problem inside loadbyusername method..read more on the 14th comment below :)
Happy coding!
I finally found the source of that problem..black hole closed. Credits #Jebil and #Robin Winch for their help!
Well everything worked as it should except the fact that the HashMap on the rensposible for the login DAO, was never cleared..so after every successful login attempt the HashMap returned was appended and so after every username update, it contained both old and new values..solution was simple..before accessing the DB HashMap should be cleared!
Happy dividing by 0 :P

Retrieving current user's UserId object

I'm writing some code that does administrative tasks on an Exchange server, and I need to set a public folder's permissions, giving myself (that is, the mailbox/user that is connected to Exchange) permissions on a given folder.
The code for this is along these lines:
UserId userId = ???;
myFolder.Permissions.Add(userId, FolderPermissionLevel.Owner);
myFolder.Update();
This code would work fine (and there's no problem with me having permissions to grant myself permissions, since I'm in the Public Folder Management AD group), but the problem is that I don't have UserId object that represents the current user. I don't even have a primarySmtpAddress, which is another way to get a UserId. All I know is that I'm in the context of a user that has permissions to a mailbox - it might be the current Windows user, it might just be a NetworkCredential that was passed to my library.
Is there a way in EWS to get the current user, or at least the current user's SMTP address? I looked in the ExchangeService class but couldn't find anything to that effect.
If you have the NetworkCredential you can bind to AD and use the GetObject to get the IADsUser. From there you can get the email address. Then you can use:
UserIdType user = new UserIdType();
user.PrimarySmtpAddress = "user3#example.com.com";
to set your permissionset userid:
http://msdn.microsoft.com/en-us/library/bb856574(v=exchg.80).aspx

Login via email + set_own_login_name + pas.plugins.sqlalchemy = change address fail

I'm using pas.plugins.sqlalchemy on a fresh new Plone 4.1 installation.
I set Plone to have the email address as login name.
It's all ok, but If I want to change the email address via personal-information panel I obtain an error:
You are not a Plone member. You are probably registered on the root user folder. Please notify an administrator if this is unexpected.
In case I would change another personal data field I don't obtain errors.
The problem seems to be the set_own_login_name function of Products.CMFPlone (utils.py).
Details here http://pastie.org/3780218
Thank's
Vito
Are you logged in as an admin user defined in the Zope root?
If that is the case, then see if you can change the login name by going to the acl_users in the Zope root and changing it there.
Otherwise, temporarily switch off emaillogin, change your email, and switch emaillogin back on.
Note that there is a comment (by me) in the utils.py code right before this KeyError is raised, which points to a possible solution that I don't really like:
# PLIP9214: For a user in the zope root we could do something like this:
# userfolder = member.getUser().__parent__.users
# userfolder.updateUser(member.id, loginname)
# But it is probably best not to touch root zope users.

Anonymous users with sitecore domains

I'm checking if this is a sitecore bug, or if I'm missing something obvious.
EDIT FOR CLARIFICATION: The problem I'm having is that I'm trying to set up the configuration settings in the Domains.config file so that Sitecore shouldn't be creating (and/or returning) an anonymous user for a domain set up this way. However, if I use the Domain.GetUsers() function on the domain, I still get the anonymous user returned.
The membership provider is a custom built and connects to LDAP in read only mode.
Details
Using Sitecore 6.4.1 and given the following domain configuration in App_Config/Security/domains.config
<domain name="DOMAINNAME" ensureAnonymousUser="false" anonymousUserName="" everyoneRoleName="" />
and these comments in that domain.config file
anonymousUserName: <snip> Set to blank to disable the anonymous user for the domain. Optional
ensureAnonymousUser: Indicates if the domain should ensure that an anonymous user for the domain exists in the Membership database. Optional - default value: false
everyoneRoleName: <snip> Set to blank to disable the everyone role for the domain. Optional - default value: Everyone
If I use the following code,
List<Sitecore.Security.Accounts.User> users = new List<Sitecore.Security.Accounts.User>();
var domain = Sitecore.Security.Domains.Domain.GetDomain(DOMAINNAME);
users.AddRange(domain.GetUsers().ToArray<Sitecore.Security.Accounts.User>());
I get the anonymous user included in users list. I assumed from the comments in the domain.config file that I shouldn't get the anonymous user if I set up my domain as above.
Is there something obvious that I'm missing?
Just a guess as I have not used 6.4 yet or tweaked any of those types of setting before... but I believe Sitecore always comes pre-packaged with the Anonymous user in the membership. By setting ensureAnonymousUser to false you're just telling it not to ensure its there, but its already there by default. Why don't you try this test:
Set ensureAnonymousUser to true then delete [*] the Anonymous user from the user manager.
Log out and back in and see if it's there again. If so then the "ensure" aspect of that worked. So...
Set ensureAnonymousUser to false then do the same thing. Does the user come back?
This is really just a hunch on how it works -- I don't have an environment like that setup right now to play with, but its worth a shot.
[*] - to delete a user form the User Manager, go to Sitecore > Security > User Manager
I think it's more question to membership provider you use. Take a look at Active Directory Module
Maybe this is something that could help you.