geekswithblogs.net

Lance's TextBox

For software developers using IPWorks, PowerShell, RSSBus, etc.


News

 Subscribe Add to Technorati Favorites

 

 

 

 


 

 

Search My Blog:

 

 

My Stats

  • Posts - 439
  • Comments - 188
  • Trackbacks - 265

Twitter












Tag Cloud


Recent Comments


Recent Posts


Archives


Post Categories


Blogs


Miscellanous


Noteworthy Stuff


Popular Posts


<< IPWorks VS2005 Update | Home | Top 20 replies by Software Programmers to Software Testers when their programs dont work >>

LDAP Authentication and Password Management



Using LDAP to authenticate users is common, fast, and easy way to do. A while back I wrote a tutorial about how this can be done in a web app using the IP*Works! LDAP component. This particular article was written using VB.Net code samples. Some people ask me for classic ASP code samples, here you go.

Lots of people ask about how to change an Active Directory (orADAM) user password over LDAP. With Novell, SunOne, and OpenLdap, its not so difficult as long as you have the administrator permissions necessary to make the change. With Active Directory it is a mystery that many have struggled with. I think just about every day in the newsgroups somebody asks how to do this.

There are two common ways to change a user password - through the userPassword and unicodePwd attributes. Here's the basic breakdown:

  1. userPassword
    • If you're not using AD, this is all there is to it. "userPassword" will be a write-only attribute that when set, will change the password for the user. If you are using AD, read on...
    • If "userPassword" is a regular password, you can read it and write it but not bind with it.
    • If "userPassword" is instead defined as an alias for "unicodePwd", then you can write to "userPassword" directly and bind with that value (in this case "userPassword" will be write-only).
    • Whether “userPassword“ is a regular password or an alias for “unicodePwd“ is controlled by the 9th bit of dsHeuristics.
    • In ADAM, "userPassword" is defined as an alias for unicodePwd by default.
    • You must use an SSL connection in order for this to work with AD!
  2. unicodePwd
    • In AD, by default "userPassword" is a regular attribute and you'll have to use "unicodePwd" instead.
    • If you use "unicodePwd", you must set it as a quoted unicode byte array.
    • You must use an SSL connection in order for this to work with AD (although from what I understand you may be able to turn that off with dsHeuristics as well. Does anyone have more info on that?)

Note that in both situations above, an SSL connection is required in order to remotely change the password with AD.

If you're bound as an administrative user, you can simply do this password change in one replace command. If you're bound as the end user, you'll have to delete the attribute (using the current password) and then add it back (using the new one).

Update: Added link to classic asp instructions.

posted @ Friday, August 19, 2005 3:27 PM | Filed Under [ Programming ]

Comments

Gravatar # re: LDAP Authentication and Password Management
Posted by sree nagesh on 6/27/2006 2:16 AM
I have one doubt. Does endian order matters when setting unicodePwd? As I see that encrypting password in platform specific endian-order is required for MS-AD but not for other Directory Servers like SUN ONE, OPENLDAP, NOVELL etc.
Please do reply.
Gravatar # re: LDAP Authentication and Password Management
Posted by Lance on 6/27/2006 6:40 AM
Thats right, AD wants little endian.
Gravatar # re: LDAP Authentication and Password Management
Posted by siril on 7/26/2006 3:41 AM
I tried to change the password of an user on an ADS ( over ssl ) by binding as to the administrator of that ADS . But while modifying the unicodePwd Its showing the error :
ldap_modify_s: Server is unwilling to perform (53)
additional info: 0000001F: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0

Can anyone please tell me what is wrong in the way i did .
Gravatar # re: LDAP Authentication and Password Management
Posted by Bob on 8/21/2006 7:30 PM
I'm trying to code an LDAP login in ASP.Net 2.0 using the MS Login control. This necessitates a custom provider. I'm trying to write my own ValidateUser method using the IP*Works LDAPS component. I haven't had much luck yet. Have you tried this yet?
Gravatar # re: LDAP Authentication and Password Management
Posted by Lance on 8/22/2006 6:25 AM
Yes, you can do this with the IP*Works! LDAPS component. You're trying to authenticate with AD? ADAM? Send me an email.
Gravatar # re: LDAP Authentication and Password Management
Posted by prashant on 1/2/2007 8:07 AM
can add users successfully but now I want to verify the these user against LDAP.



I am adding users on root as you said.



Her connection string is a root path.



DirectoryEntry de = new DirectoryEntry(_ConnectionInfo.ConnectionString, user.DistinguishedName, Password, (AuthenticationTypes)_ConnectionInfo.AuthenticationType);



But it throws an exception saying that “user name or password is bad”

Gravatar # re: LDAP Authentication and Password Management
Posted by HoRRoR on 1/23/2007 10:06 PM
hi,
i'm using ADAMand in the ADAM ADSI edit utility there is an option of right clicking a uer and resetting his password. which parameter / attribute is getting affected here?
it is neither the userpassword nor the unicodePwd . i am also able to successfully bind to adam using that password. how cani change it over LDAp?
Gravatar # re: LDAP Authentication and Password Management
Posted by Lance on 1/24/2007 8:10 AM
in ADAM it should be unicodePwd, although as mentioned above userPassword can exist there as an alias.
Gravatar # re: LDAP Authentication and Password Management
Posted by Denis Sevostianov on 4/12/2007 10:56 AM
Hi everyone
I want to change password root in LDAP, but this root is in another node, Can everyone help me?
Gravatar # re: LDAP Authentication and Password Management
Posted by Olabode O on 8/14/2007 4:47 PM
Hi

I still am not able to change the password of an Active Directory user. Does any one have a sample code that I can follow.
My ldap server is SSL enabled already.

Regards
O
Gravatar # re: LDAP Authentication and Password Management
Posted by sharan on 12/27/2007 7:05 AM
I want to know how to retrieve a password from ldap. Is it possible?
Gravatar # re: LDAP Authentication and Password Management
Posted by Lance on 12/27/2007 8:58 AM
Sharan, it depends on the server - but you should not do it. Instead, the user should GIVE his password. If the user doesn't know the password, they should change it (search this blog for how to change the password).
Gravatar # re: LDAP Authentication and Password Management
Posted by Norma on 7/22/2008 9:17 AM
Questions:
can i change the password with the same as the login name in LDAP ??
i became a javax.naming.AuthentificationException.

Thank for yours help.
Post a comment





 

Please add 6 and 5 and type the answer here: