Changing Active Directory password over LDAP using passwd/ldappasswd/Samba

windows-server-2008 active-directory ldap samba centos6
13,846

No, the unicodePwd attribute will reject changes made if the connection is not secure.

It's also very finicky about formatting of the raw LDAP (UTF-16 for the password strings is required), as well as permission enforcement.

For resetting a password (changing it without knowing the old one), the user that bound to LDAP needs to have the "Reset Password" permission on the target user. If you're doing this, you must use the replace operation.

For changing a password (knowing the old and the new), you don't need to be bound to LDAP as any particular user (assuming that you've left the default permissions in place for "Change Password"). However, you need to send both a delete LDAP change with the correct old password, as well as an add type change with the new password, in the same operation.

See the documentation for the unicodePwd attribute for more information.

Share:
13,846

Related videos on Youtube

Shiroi98
Author by

Shiroi98

PHP / MySQL Programmer

Updated on September 18, 2022

Comments

  • Shiroi98
    Shiroi98 over 1 year

    I am trying to change the Active Directory (on a Windows 2008 server) from a CentOS 6.2 machine over openLDAP.

    I have tried passwd, ldappasswd and trying to see if I can do it with Samba without the use of TSL/SSL/SASL. Is this possible?

    • Admin
      Admin over 11 years
      Windows requires TLS for the changing of passwords over LDAP. 2008 doesn't have TLS enabled for LDAP by default.
    • Admin
      Admin over 11 years
      I implemented a web based solution for our linux and mac users to change there password via browser. I used the ldap tool box project - ltb-project.org/wiki/start. Keep in mind what Phillip mentioned you need to activate tls for the windows ldap server.
  • Shiroi98
    Shiroi98 over 11 years
    Hi Shane, I have activated Unix Attributes for my AD users, so I checked the unicodePwd attribute it is not set, but instead it uses the unixUserPassword attribute. Does the same apply? Requires a secure connection?
  • ravi yarlagadda
    ravi yarlagadda over 11 years
    @Shiroi98 The unicodePwd attribute is still always the 'main' password for the user. It never returns any data when queried, so yes, it should appear unset. Are you trying to actually change the user's password, or just to modify the unixUserPassword attribute only, leaving the user's Windows password untouched?
  • Shiroi98
    Shiroi98 over 11 years
    Hmm I didn't know they were different. So far I can login to AD using the same password set in AD from my CentOS machine, so I assumed it was the same. Also, according to that unicodePwd link, it said something about setting the DSHeuristic attribute to allow modification of the unicodePwd over a non-secure connection. Does this apply to my case?
  • ravi yarlagadda
    ravi yarlagadda over 11 years
    @Shiroi98 There is an option to sync to the unixUserPassword attribute when unicodePwd is changed; if that's enabled then it explains the sync. And no, the only situation in which you can use dSHeuristics to override the encryption requirement is for AD Lightweight Directory Services.
  • Shiroi98
    Shiroi98 over 11 years
    Hi, I found this password sync daemon listed on MS website: technet.microsoft.com/en-us/library/cc755186. I was wondering if this will work for my setup? However, I am running CentOS 6.2, and it is not listed as one of the OS. Is Redhat linux similar to CentOS?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Configure Winbind to get User Info from Windows
How to get LDAP connection string for my ActiveDirectory
LDAP Can't perform an authenticated bind - Windows Server 2008 R2 Using PHP/Apache
LDP SSL Port 636 Works - ldaps:// does not
How can I retrieve the LDAP server certificate for Windows 2008 and 2003 global catalog servers?
How to make AD highly available for applications that use it as an LDAP service
Linux + Active directory authentication + only letting certain groups login
Search AD by GUID
Allow AD group to access samba share
AD login and smbclient login successful, but fails from Windows clients