Active Directory, LDAP and Passwords

A small collection of info on how to set AD user passwords via LDAP

MS KB Article - How To Change a Windows 2000 User's Password Through LDAP (cache)
a snippet:
The password is stored_ in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read. The attribute can only be modified_; it cannot be added on object creation or queried by a search. In order to modify this attribute, the client must have a 128-bit Secure Socket Layer (SSL) connection to the server. For this connection to be possible, the server must possess a server certificate for a 128-bit RSA connection, the client must trust the certificate authority (CA) that generated the server certificate, and both client and server must be capable of 128-bit encryption.

The syntax of the unicodePwd attribute is octet-string; however, the directory service expects that the octet-string will contain a UNICODE string (as the name of the attribute indicates). This means that any values for this attribute passed in LDAP must be UNICODE strings that are BER-encoded (Basic Encoding Rules) as an octet-string. In addition, the UNICODE string must begin and end in quotes that are not part of the desired password.

There are two possible ways to modify the unicodePwd attribute. The first is similar to a normal "user change password" operation. In this case, the modify request must contain both a delete and an add operation. The delete operation must contain the current password with quotes around it. The add operation must contain the desired new password with quotes around it.

The second way to modify this attribute is analogous to an administrator resetting a password for a user. In order to do this, the client must bind as a user with sufficient permissions to modify another user's password. This modify request should contain a single replace operation with the new desired password surrounded by quotes. If the client has sufficient permissions, this password become the new password, regardless of what the old password was.

A long thread on devshed on AD/LDAP programming with PHP (cache)
Paged view:
- http://forums.devshed.com/printthread.php?t=74683&pp=40 (cache)
- http://forums.devshed.com/printthread.php?t=74683&page=2&pp=40 (cache)
- http://forums.devshed.com/printthread.php?t=74683&page=3&pp=40 (cache)

Created by gmartin. Last Modification: Tuesday 21 of December, 2004 15:26:55 EST by gmartin.