Changing Active Directory password over LDAP using passwd/ldappasswd/Samba
No, the unicodePwd
attribute will reject changes made if the connection is not secure.
It's also very finicky about formatting of the raw LDAP (UTF-16 for the password strings is required), as well as permission enforcement.
For resetting a password (changing it without knowing the old one), the user that bound to LDAP needs to have the "Reset Password" permission on the target user. If you're doing this, you must use the replace
operation.
For changing a password (knowing the old and the new), you don't need to be bound to LDAP as any particular user (assuming that you've left the default permissions in place for "Change Password"). However, you need to send both a delete
LDAP change with the correct old password, as well as an add
type change with the new password, in the same operation.
See the documentation for the unicodePwd
attribute for more information.
Related videos on Youtube
Comments
-
Shiroi98 over 1 year
I am trying to change the Active Directory (on a Windows 2008 server) from a CentOS 6.2 machine over openLDAP.
I have tried passwd, ldappasswd and trying to see if I can do it with Samba without the use of TSL/SSL/SASL. Is this possible?
-
Admin over 11 yearsWindows requires TLS for the changing of passwords over LDAP. 2008 doesn't have TLS enabled for LDAP by default.
-
Admin over 11 yearsI implemented a web based solution for our linux and mac users to change there password via browser. I used the ldap tool box project - ltb-project.org/wiki/start. Keep in mind what Phillip mentioned you need to activate tls for the windows ldap server.
-
-
Shiroi98 over 11 yearsHi Shane, I have activated Unix Attributes for my AD users, so I checked the unicodePwd attribute it is not set, but instead it uses the unixUserPassword attribute. Does the same apply? Requires a secure connection?
-
ravi yarlagadda over 11 years@Shiroi98 The
unicodePwd
attribute is still always the 'main' password for the user. It never returns any data when queried, so yes, it should appear unset. Are you trying to actually change the user's password, or just to modify theunixUserPassword
attribute only, leaving the user's Windows password untouched? -
Shiroi98 over 11 yearsHmm I didn't know they were different. So far I can login to AD using the same password set in AD from my CentOS machine, so I assumed it was the same. Also, according to that unicodePwd link, it said something about setting the DSHeuristic attribute to allow modification of the unicodePwd over a non-secure connection. Does this apply to my case?
-
ravi yarlagadda over 11 years@Shiroi98 There is an option to sync to the
unixUserPassword
attribute whenunicodePwd
is changed; if that's enabled then it explains the sync. And no, the only situation in which you can usedSHeuristics
to override the encryption requirement is for AD Lightweight Directory Services. -
Shiroi98 over 11 yearsHi, I found this password sync daemon listed on MS website: technet.microsoft.com/en-us/library/cc755186. I was wondering if this will work for my setup? However, I am running CentOS 6.2, and it is not listed as one of the OS. Is Redhat linux similar to CentOS?