Not able to Update password and useraccountcontrol in AD using Spring LDAP

2015-03-10 java spring active-directory spring-ldap

I am new to Spring LDAP and Active directory and facing issue while updating password for new created user in AD.

Using SPRING LDAP I have first created User in AD successfully and then tried to update password and useraccountcontrol of user when I getting below exception. We have been trying for last 1 week and not able to resolve. Any help/direction is highly appreciated.

I have been through many blogs and tried as mentioned in below two blogs but still blocked and getting same exception:

How do I resolve "WILL_NOT_PERFORM" MS AD reply when trying to change password in scala w/ the unboundid LDAP SDK?

Adding a user with a password in Active Directory LDAP


16:43:56,991 INFO  [stdout] (http-localhost-  INFO [http-localhost-] ( - HelperDao.getNextUserId(): entry

16:43:57,007 INFO  [stdout] (http-localhost- Hibernate:   SELECT LTRIM(TO_CHAR( IP_USER_XDUSERID_SEQ.nextval, '000000000000000000000000000')) ID from dual

16:43:57,164 INFO  [stdout] (http-localhost-  INFO [http-localhost-] ( - HelperDao.getNextUserId(): exit

16:47:17,051 INFO  [stdout] (http-localhost- 16:47:17.051 [http-localhost-] ERROR - catching

16:47:17,051 INFO  [stdout] (http-localhost- javax.naming.OperationNotSupportedException: [LDAP: error code 53 - 0000200D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
16:47:17,067 INFO  [stdout] (http-localhost- 
16:47:17,067 INFO  [stdout] (http-localhost-       at com.sun.jndi.ldap.LdapCtx.mapErrorCode( ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-       at com.sun.jndi.ldap.LdapCtx.processReturnCode( ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-       at com.sun.jndi.ldap.LdapCtx.processReturnCode( ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-       at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes( ~[?:1.7.0_45]
16:47:17,067 INFO  [stdout] (http-localhost-       at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes( ~[?:?]
16:47:17,067 INFO  [stdout] (http-localhost-       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes( ~[?:?]
16:47:17,099 INFO  [stdout] (http-localhost-       at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes( ~[?:?]
16:47:17,099 INFO  [stdout] (http-localhost-       at ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-       at sun.reflect.NativeMethodAccessorImpl.invoke( ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-       at sun.reflect.DelegatingMethodAccessorImpl.invoke( ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-       at java.lang.reflect.Method.invoke( ~[?:1.7.0_45]
16:47:17,099 INFO  [stdout] (http-localhost-       at ~[spring-ldap-core-2.0.2.RELEASE.jar:2.0.2.RELEASE]
16:47:17,099 INFO  [stdout] (http-localhost-       at org.springframework.ldap.transaction.compensating.manager.TransactionAwareDirContextInvocationHandler.invoke( ~[spring-ldap-core-2.0.2.RELEASE.jar:2.0.2.RELEASE]
16:47:17,099 INFO  [stdout] (http-localhost-       at com.sun.proxy.$Proxy69.modifyAttributes(Unknown Source) ~[?:?]
16:47:17,099 INFO  [stdout] (http-localhost-       at [classes:?]
16:47:17,099 INFO  [stdout] (http-localhost-       at [classes:?]
16:47:17,099 INFO  [stdout] (http-localhost-       at [classes:?]
16:47:17,099 INFO  [stdout] (http-localhost-       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-       at sun.reflect.NativeMethodAccessorImpl.invoke( ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-       at sun.reflect.DelegatingMethodAccessorImpl.invoke( ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-       at java.lang.reflect.Method.invoke( ~[?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-       at [jbossws-common-2.0.2.GA.jar!/:2.0.2.GA]
16:47:17,115 INFO  [stdout] (http-localhost-       at org.jboss.wsf.stack.cxf.JBossWSInvoker._invokeInternal( [jbossws-cxf-server-4.0.2.GA.jar!/:4.0.2.GA]
16:47:17,115 INFO  [stdout] (http-localhost-       at org.jboss.wsf.stack.cxf.JBossWSInvoker.invoke( [jbossws-cxf-server-4.0.2.GA.jar!/:4.0.2.GA]
16:47:17,115 INFO  [stdout] (http-localhost-       at org.apache.cxf.interceptor.ServiceInvokerInterceptor$ [cxf-rt-core-2.4.6.jar!/:2.4.6]
16:47:17,115 INFO  [stdout] (http-localhost-       at java.util.concurrent.Executors$ [?:1.7.0_45]
16:47:17,115 INFO  [stdout] (http-localhost-       at [?:1.7.0_45]

Below is the code snippet:

ldap.userDn=CN=IP User,OU=AdminAccounts,DC=stp-qa,DC=st,DC=com

@Entry(objectClasses = {  "top", "person", "organizationalPerson","user","st-individualpassportuser"})
public final class User {

    private Name dn;

    @Attribute(name = "mail")
    private String email;

    @Attribute(name = "cn")
    private String fullName;

    @Attribute(name = "givenName")
    private String firstName;

    @Attribute(name = "sn")
    private String lastName;

    @Attribute(name = "st-AccValidationStatus")
    private String accountStatus;

    @Attribute(name = "st-entryStatus")
    private String validationStatus;

    @Attribute(name = "whenCreated")
    private String creationDate;

    @Attribute(name = "st-ValidatedOn")
    private String validationDate;

    @Attribute(name = "st-ValidatedBy")
    private String validatedBy;

    @Attribute(name = "st-currentLogon")
    private String lastLogon;

    @Attribute(name = "st-loginRedirectURL")
    private String loginRedirectUrl;

    @Attribute(name = "st-jvCompany")
    private String jvCode;

    @Attribute(name = "sAMAccountName")
    private String samAccount;

    @Attribute(name = "st-userSpecifedCompany")
    private String employerName;

    @Attribute(name = "postalCode")
    private String zipCode;

    private String xdUserId;

    private String loginCount;

    private byte[] unicodePassword;

    private String userAccountControl;

    private String userAccLastValidated;

    private String userSecretQuestion;

    private String userAnswerToSecretQuestion;

Java Class for Password computation:

 * Add unicode Password to userObject.
 * Ldap does not allow to set password/userAccountControl during creation of user by design, So need to update user after creation in AD with password and userAccountControl.
 * @param password
private void addPasswordToUserProfile(String password) {

    String newQuotedPassword = "\"" +  password + "\"";
    try {
        byte[] newUnicodePassword = newQuotedPassword.getBytes("UTF-16LE");
            int UF_NORMAL_ACCOUNT = 0x0200;
            int UF_PASSWORD_EXPIRED = 0x800000;
            adUserBean.setUserAccountControl(Integer.toString(UF_NORMAL_ACCOUNT + UF_PASSWORD_EXPIRED));
    } catch (UnsupportedEncodingException e) {


public class UserADRepository {

    private LdapTemplate ldapTemplate;

    public User create(User user) {
        return user;

    public User findByFullName(String fullName) {
        return ldapTemplate.findOne(
                LdapQueryBuilder.query().where("cn").is(fullName), User.class);

     * Find user in LDAP based on User SamAccountName
     * @param samAccount
     * @return
    public User findBySamAccountName(String samAccount) {
        User usr = null;
        try {
            usr = ldapTemplate.findOne(
                            .is(samAccount), User.class);
        } catch (EmptyResultDataAccessException emptyException) {
            return usr;
        return usr;

 * Find user in LDAP based on User DN (distinguisedName) 
 * @param dn
 * @return
    public User findByDn(Name dn) {
        User usr = null;
        try {
            usr = ldapTemplate.findByDn(dn, User.class);
        } catch (NameNotFoundException e) {
            return usr;
        return usr;

     * Update user in AD 
     * @param User
    public void update(User User) {

    public void delete(User User) {

Thanks in advance for kind help or direction to resolve this issue.


for updating AD password use a separate method, it seems that LdapTemplate.update() does not define the correct ModificationItem for password.

        public void setPassword(Person p){
        String relativeDn = getRelativeDistinguishedName(person.getDistinguishedName());
        LdapNameBuilder ldapNameBuilder = LdapNameBuilder.newInstance(relativeDn);
        Name dn  =;

        DirContextOperations context = ldapTemplate.lookupContext(dn);

        Attribute attr = new BasicAttribute("unicodepwd", encodePassword(person.getPassword()));
        ModificationItem item = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, attr);

        ldapTemplate.modifyAttributes(dn, new ModificationItem[] {item});   

In addition to aalmero answer, it seems like Spring Ldap repository can't save unicodePwd.

But you can use LdapTemplate for it:

    UserAd userAd = new UserAd();
    // set your stuff;

    ModificationItem[] mods = new ModificationItem[1];
    mods[0] = new ModificationItem(DirContext.REPLACE_ATTRIBUTE, new BasicAttribute("unicodePwd", encodePassword("password-respecting-policies")));

    ldapTemplate.modifyAttributes(userAd.getDn(), mods);