Java creates MS Ad account and set password with SSL certificate

Java creates MS Ad account and set password with SSL certificate

Recently because the work needs to sort out the automation of things, because the company last year on-line OA, so the company's entry system will submit user information to the IT department, the earliest practice is to enter the job, IT department collects user information in the ad to create the corresponding user information, so in order to improve the efficiency of the Administrator, So ready to implement the automatic creation of AD accounts, when the OA process to the IT staff approval node, the IT staff after the approval according to the personnel information automatically created ad account, so organized some Java to create AD personnel information, but we need to note that for the Java language operation MS Some ordinary operation of the ad does not require SSL, but for the user password reset operation must use SSL, of course, before looking at the Internet has said can skip, but no trial success, so still follow the standard configuration to the user's ad password through the operation, nonsense not much to say, Today we mainly introduce the use of Java to create an MS Ad account through SSL, because to set the password for the created user, so the need to use an SSL certificate, since the need for SSL certificate, the purpose is to let Java Trust LDAP, so we need to export the trusted certificate from the AD, It is then imported into the CACert certificate file under the JRE in the Java Runtime environment. Since we have spoken of OA, in fact, OA in the system can be carried out by the function of the certificate application and certificate import, this is relatively simple; of course, if there is no OA environment, we can through the Java operating environment in the JDK Keytool certificate import work, we will be introduced below;

We first use the functions in OA for certificate import; Our OA certificate is in/oafs/weaver/jdk1.8.0_101/jre/lib/security/cacerts.

650) this.width=650; "title=" image "style=" Background-image:none; "border=" 0 "alt=" image "src=" http://s3.51cto.com/ Wyfs02/m01/07/a9/wkiom1nnb96b1wqcaabncdoo2ng479.png "height="/>

After confirming the JDK path strength in OA environment, we are following the certificate application and import;

We visit the address of OA, then add/integration/ldapcert.jsp brutishness Access, if not the following Java files can be found in the OA vendor, or in the attachment download;

We first download the file in the attachment, after downloading, there are three files in the attachment;Classbean,

We first enter the contents of the Classbean folder to the corresponding directory of OA server;

Ecology\classbean\weaver\ldap

2. then copy the following files from the folder integration file in the extracted file to the corresponding server directory of OA:

Ecology\integration

3. because there are three folders after decompression, the third folder SRC is the source code, we do not have to control

By following the above method, we can configure the

http://192.168.6.101/integration/ldapcert.jsp

After the visit, we then LDAP IP input Environment of the AD DC server address, the system will default to fill out LDAP port 636, and certificate road strength, these information systems will automatically complete; We need to manually set the certificate password, generally we will be set to Changeit, set up this information, we import the certificate, The following import information will be prompted;

650) this.width=650; "title=" image "style=" Background-image:none; "border=" 0 "alt=" image "src=" http://s3.51cto.com/ Wyfs02/m00/07/a9/wkiom1nnb96j6lj5aadrdahlct0347.png "height=" 355 "/>

Import complete

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/a6/5a/wkiol1nnb6czt3adaaejq-swatc175.png "height=" 382 "/>

Then we need to download the certificate on the certificate path to the local JRE environment for testing.

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/07/a9/wkiom1nnb-gdewv4aabncdoo2ng590.png "height="/>

Then we look at the second way of the certificate application;

We need to import the domain root certificate from the DC

MMC---Add---certificate---computer---Personal---Select root certificate----Export

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/a6/5a/wkiol1nnb6kdks8vaafioigj-jq257.png "height=" 283 "/>

No need to export private key

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/a6/5a/wkiol1nnb6pbvwiyaaefvvdpsoa196.png "height=" 417 "/>

Using the default Dre encoding

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/07/a9/wkiom1nnb-ttoy2gaafvxriawqk879.png "height=" 415 "/>

Save

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/a6/5a/wkiol1nnb6whtzheaaiesq4od_g157.png "height=" 298 "/>

We also export the other one in the same way

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/a6/5a/wkiol1nnb6ewbi_5aaeopjf5lz0154.png "height=" 248 "/>

Then we need to import the root certificate into the certificate in the JDK environment in the local JDK environment;

My local JDK Environment Road D:\Development_Environment\java\jdk\jre\lib\security

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/07/a9/wkiom1nnb-mgmqapaae2cxxwn5s711.png "height=" 315 "/>

Then run the command to import the root certificate you just exported into the CACert certificate file of the road;

We'll start with the CD to JDK Road.

CD D:\Development_Environment\java\jdk\jre\bin

Then save the root certificate you just exported to the D drive and import it with the following command

Keytool Keytool-import-keystore D:\Development_Environment\java\jdk\jre\lib\security\cacerts-storepass Changeit- Keypass Changeit-alias Ca-file D:\ADroot.cer

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/a6/5a/wkiol1nnb6irdbafaaa4pmqnybe681.png "height="/>

Enter Y to be trusted

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m02/a6/5a/wkiol1nnb6qd06yjaadftxmiafo642.png "height=" 251 "/>

And then we can go through

And then we look at the adds environment.

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/07/a9/wkiom1nnb-vs5rpiaadj6uppvc0643.png "height=" 339 "/>

Change into ready, we can get on the code;

We set the certificate path, and LDAP authentication information, and need to register the user name

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/a6/5a/wkiol1nnb6vhjb9saahczuzwhj8601.png "height=" 337 "/>

Successful account Registration

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/07/a9/wkiom1nnb_czo0waaalzfiwweqg975.png "height=" 484 "/>

On the code:

package com.ixmsoft.oa.util;     import java.util.properties;      import javax.naming.*;   import javax.naming.ldap.*;    import javax.naming.directory.*;     /**   *  @author  Keven Chen   *  @version   $Revision  1.0 $   *     */  public class AddAdUser {        private static final String SUN_JNDI_PROVIDER =  " Com.sun.jndi.ldap.LdapCtxFactory ";          public static  void main (String[] args)  throws Exception {            String keystore =  "d:\\development_environment\\java\\jdk\\jre\\ Lib\\security\\cacerts ";     &nBsp;      system.setproperty ("Javax.net.ssl.trustStore",  keystore);              properties env = new  properties ();              env.put ( Context.initial_context_factory, sun_jndi_provider);// java.naming.factory.initial            env.put (context.provider_url,  "ldap://192.168.5.20:636") ;// java.naming.provider.url           env.put ( context.security_authentication,  "simple");// java.naming.security.authentication            env.put (context.security_principal,                     "CN=ADMINISTRATOR,CN =users,dc=ixmsoft,dc=com ");/ java.naming.security.principal           env.put (context.security_credentials,  "123");// java.naming.security.credentials            env.put (context.security_protocol,  "SSL");              String userName =  "Cn=gaowenlong,ou =ixm adm,ou=imxsoft users,dc=ixmsoft,dc=com ";            String groupName =  "Cn=domain admins,cn=users,dc=ixmsoft,dc=com";              LdapContext ctx = new  Initialldapcontext (env, null);              // create attributes to be associated with the new user     &nbSp;      attributes attrs = new basicattributes (True);              // These are the  mandatory attributes for a user object            // note that win2k3 will automagically create a  random           // samaccountname if  it is not present.  (Win2k does not)             attrs.put ("ObjectClass",  "user");            attrs.put ("sAMAccountName",  "Gaowenlong");            attrs.put ("cn",  "Gaowenlong");              // these are some optional  (but useful)  attributes            attrs.put ("sn",  "Gaowenlong");            attrs.put ("DisplayName",  "Gaowenlong");            attrs.put ("description",  "Gaowenlong");            attrs.put ("userPrincipalName",  "[email protected]");            attrs.put ("Mail",  "[email protected]");            attrs.put ("TelephoneNumber",  " 1234568999 ");             // some  useful constants from lmaccess.h            int uf_accountdisable = 0x0002;  //disabling an account          int uf_ passwd_notreqd = 0x0020;   //User cannot change password          int uf_passwd_cant_change = 0x0040;            int uf_normal_account = 0x0200;   //Normal Users          int uf_dont_expire_passwd = 0x10000;   //Password never expires          int uf_password_expired = 0x800000;   // The password has expired           // note that you need  to create the user object before you can            // set the password. therefore as the  user is created&nBsp;with no           // password, user  AccountControl must be set to the following            // otherwise the win2k3 password filter will  return error 53           //  unwilling to perform.              Attrs.put ("userAccountControl",  integer.tostring (uf_normal_account                    + uf_passwd_notreqd +  uf_password_expired + uf_accountdisable));              // Create the context            contExt result = ctx.createsubcontext (username, attrs);            system.out.println ("created disabled account for: "  +  username);              modificationitem [] mods = new modificationitem[2];              // Replace the  "Unicdodepwd"  attribute with a new  value           // Password must  be both unicode and a quoted string            String newQuotedPassword =  "\" Password2000\ "";            byte[] newUnicodePassword =  Newquotedpassword.getbytes ("Utf-16le");              mods[0] = new  Modificationitem (dircontext.replace_attribute,                    new basicattribute ("UNICODEPWD",  Newunicodepassword));            mods[1] = new  modificationitem (dircontext.replace_attribute,                    new basicattribute ("UserAccountControl",  Integer                            .tostring (UF_NORMAL_ACCOUNT + UF_ password_expired));             //  Perform the update    &nbSp;      ctx.modifyattributes (username, mods);            system.out.println ("set password & updated  Userccountcontrol ");            // now add  the user to a group.              try {                ModificationItem member[] = new ModificationItem[1];                member[0] = new  Modificationitem (dircontext.add_attribute,                        new basicattribute ("member",  username));      &NBSp;           ctx.modifyattributes (groupName,  Member);                System.out.println ("added user to group: "  + groupname);              } catch  (namingexception e)  {                system.err.println (" problem adding user to group:  " + e);            }           // could  have put tls.close ()  prior to the group modification            // but it seems to screw  up the connection or Context ?             ctx.close ();              system.out.println ("Successfully  created user:  " + username);         }      }

We view

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/07/a9/wkiom1nnb_dxxutoaaewztcdld8373.png "height=" 346 "/>

View account Properties

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/a6/5b/wkiol1nnb7casuqwaag1sh4jtee169.png "height=" 484 "/>

And then view the properties

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m01/07/a9/wkiom1nnb_lz74csaahwlp4kf2y877.png "height=" 484 "/>

650) this.width=650; "title=" image "style=" Margin:0px;background-image:none; "border=" 0 "alt=" image "src="/http S3.51cto.com/wyfs02/m00/07/a9/wkiom1nnb_wsxs5_aahfi_yzqry828.png "height=" 484 "/>

We upload the Java file to the attachment, if there is an error in Eclipse, please right-click on the import LDAP-related package

This article from "Gao Wenrong" blog, declined reprint!

Java creates MS Ad account and set password with SSL certificate