Password Update in AD 2003 through Java web application RRS feed

  • Question

  • Hi,

    I am using AD 2003 to store users credentials.

    I am trying to reset the user password through my java web application.

    Here is the code to change the password.

    ctx = getADSContext(); // getting AD context using admin userid and pwd to port 636.
                String newQuotedPassword = "\"" + password + "\"";
                byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
                ModificationItem[] mods = new ModificationItem[1];
                mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE,
                        new BasicAttribute("UnicodePwd", newUnicodePassword));
                ctx.modifyAttributes("CN="+userid, mods);

    Password is updating successfully. But, once password reset is successful, the user is able to login using the new password and the old password too.

    For example user is user1 and the current password is password1.

    Now user1 is changing the password from password1 to password2.

    After successful password change, user1 is able to login using both password1 and password2.

    Now user1 is again changing the password from password2 to password3.

    After successful password change for the second time, user1 is able to login using password2 and password3. password1 is not valid any more.

    So, the pattern I am seeing is that the last changed (old) password is still cached some where in the AD (I guess)

    In my web application I am not storing the password at any format (its a normal parctice in all web applications for security reasons).

    Please help me to figure out what could be the reason.

     Thanks in advance.

    Friday, July 1, 2011 3:39 AM