search

Esri / geoportal-server

Geoportal Server is a standards-based, open source product that enables discovery and use of geospatial resources including data and services.
https://gptogc.esri.com/geoportal
Apache License 2.0
244 stars 149 forks source link

Windows Active Directory Users Unable to Change Password #285

Open gavincollins opened 6 years ago

gavincollins commented 6 years ago

I have a Geoportal 1.2.9 deployment, I want to enable allow user password change in Geoportal.. Currently when a user changes their password, a success message is returned by Geoportal, however, the user's passsword does not change. It remains to be the original.

I have configured the Geoportal with Windows Active Directory using the LDAPS protocol following the instructions provided on the github wiki page https://github.com/Esri/geoportal-server/wiki/Connecting-to-a-User-Directory.

All necessary changes were made to the gpt.xml and importing of Active Directory SSL certificates into the Tomcat Java Keystore which is stated as a requirement to enable password change in Geoportal. The ldapServiceAccount has full permissions on the Active Directory domain.

I am aware Windows Active Directory has two containers which records an accounts password:

  1. userPassword
  2. unicodePwd

I have tested configuring the gpt.xml with both these password containers and the outcome is the same, a false password change success message is given because the password remains to be the original one. I have also tested switching between using the LDAP and LDAPs protocols.

Importantly, when configured for either, I can see the password change process updating the containers userPassword and unicodePwd with NEW values which appear to be an encrypted version of the new password entered by the user. Therefore Geoportal has permissions to update these containers.

I would appreciate any help on this issue,

Thanks, Gavin

gavincollins commented 6 years ago

@mhogeweg @zguo

zguo commented 6 years ago

you might check if the following post helps: https://asadumar.wordpress.com/2013/02/28/create-user-password-in-active-directory-through-java-code/

gavincollins commented 6 years ago

@zguo Thanks for sharing but unfortunately that post describes the steps that I have already undertaken. I can't figure out why I am receiving a successful password change message when it is actually false because user's password does not change! Within the Windows AD I can inspect the user's attributes, the unicodePwd attribute has been updated with a new value.