CODEWITHSUNDEEP
active-directoryldapspring-ldap
Dev
Dev

Reputation: 1561

Spring ldap unlocking an account

I am trying to unlock user account using spring ldap and getting the error message ""Malformed 'LockoutTime' attribute value" exception.

My code looks like below

public boolean unlockAccount(Name dn) {
        ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("lockoutTime", 0));
        ldapTemplate.modifyAttributes(dn, new ModificationItem[] {item});
        return true;
}

I am using Windows server 2016 and Spring ldap 2.3.2.

Is 'lockoutTime' the correct attribute to unlock an account ? Is there anything else I am missing ?

Upvotes: 0

Views: 2908

Answers (4)

Ankush Patel
Ankush Patel

Reputation: 11

String[] attrIDs = new String[] { "lockoutTime", "sAMAccountName", 
"distinguishedName","pwdLastSet", "accountExpires", "userAccountControl", 
"IsAccountLocked" };

ctls.setReturningAttributes(attrIDs);
ctls.setSearchScope(2); 

String filter = "(&(objectClass=user)(objectCategory=Person)(sAMAccountName=" + 
samaccountname+ "))";

NamingEnumeration<SearchResult> answer = ctx.search(adManagedOU, filter,ctls);

while (answer.hasMore()) {

    SearchResult rs = answer.next();

    Attributes attrs = rs.getAttributes();

    distinguishedName = rs.getNameInNamespace();

 String[] lockouttime = null;

String lockOutValue=attrs.get("lockoutTime");

if (lockOutValue != null)

{

lockouttime = attrs.get("lockoutTime").toString().split(":");

if (Long.valueOf(lockouttime[1].trim()) > 0) {

ModificationItem[] mods1 = new ModificationItem[] {

new ModificationItem(2, new BasicAttribute("lockoutTime", "0") ) };

((DirContext) ctls).modifyAttributes(distinguishedName, mods1);

} else {

LOGGER.info(username + " Account Not Locked");

}

Upvotes: 1

Goutham Harshith
Goutham Harshith

Reputation: 283

In LDAP if you type the wrong password for more than 5 times, the account gets locked. If you want to unlock the user you have to delete an operational attribute name as pwdAccountLockedTime.

    public String unlockUser(Users pvo) {
    System.out.println("this is pvo" + pvo);

    Name dn = buildDn(pvo);
    DirContextOperations context = ldapTemplate.lookupContext(dn);
    ModificationItem[] modificationItems;
    modificationItems = new ModificationItem[1];

    modificationItems[0] = new ModificationItem(DirContext.REMOVE_ATTRIBUTE,
            new BasicAttribute("pwdAccountLockedTime"));

    ldapTemplate.modifyAttributes(dn, modificationItems);

    return "Account Unlocked";
}

build Dn for your LDAP and use the above code then the user gets unlocked.

Upvotes: 2

CaptRespect
CaptRespect

Reputation: 2055

Setting the value to a String instead of an int makes this work, at least with AWS Simple AD.

 ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("lockoutTime", "0"));
    ldapTemplate.modifyAttributes(dn, new ModificationItem[] {item});

Upvotes: 0

jwilleke
jwilleke

Reputation: 11026

The only values that may be set on lockouttime is to set the value to "0" which will effectively un-lock the account.

To learn more on Microsoft Active Directory Lockouts.

Upvotes: 0

Related Questions