Re: convert sha1 pwd hash to use with userpwd/unicodePwd

Tech-Archive recommends: Speed Up your PC by fixing your registry

You would need to do something like that, unfortunately. ADAM (and AD for
that matter) don't really support migration of password data from other
systems unless you have the plaintext password.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Adam" <adamtuliper@xxxxxxxxxxxxx> wrote in message
news:5E1862C0-920A-4AA9-8FE0-88A32D345624@xxxxxxxxxxxxxxxx
hmm..setting userPassword with cleartext then rc4 hashes it (not readable
so
it seems without lcdump but thats fine) correct? So.. since this is a
conversion and original passwords are already hashed, I guess I'll have to
give default passwords and store the old hashes in a new field and verify
them with admin credentials since I wont be able to do a secure bind. This
sound right to you (or default them all to the same pwd and have them
change
on first login, but can't do that because of business reasons).

--
Adam Tuliper
http://www.secure-coding.com


"Joe Richards [MVP]" wrote:

You can not set the hash nor force ADAM to to use a different format.
You will need to set the userPassword with cleartext passwords.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Adam wrote:
Any recommendations on this scenario:
1. An existing ldap store uses the sha1 hashed userpassword attribute.
2. A conversion to ADAM is taking place.
I believe userPassword in ADAM just sits on top of unicodePwd, and this
is
MS's hashing algorithm. Is there any way to have ADAM use the
userPassword
attribute with the sha1 hashes? I can always add it as a second
attribute and
when a user logs and I can match the sha1 hash, set their password to
be what
they entered using an admin binding, but Im curious if there is a much
better
way.
Thanks,




.

Relevant Pages

  • Re: Using ADSIedit to set an ADAM users password
    ... ChangePassword operation. ... they had to add these strange SetOption calls to make it work for ADAM. ... > Thanks for your thoughts on this, your rationale for unicodePwd ... > W2K assuming that MS will switch to promoting userPassword ...
    (microsoft.public.windows.server.active_directory)
  • Re: Using ADSIedit to set an ADAM users password
    ... Thanks for your thoughts on this, your rationale for unicodePwd ... W2K assuming that MS will switch to promoting userPassword ... it was not in the MSDN sample for ADAM). ... Modifying the default dsHeuristics on W2K3 ...
    (microsoft.public.windows.server.active_directory)
  • Re: Using ADSIedit to set an ADAM users password
    ... change userPassword, depending on your settings. ... unicodePwd is the "real password attribute", in both AD and ADAM. ... It can be turned into a regular attribute, ...
    (microsoft.public.windows.server.active_directory)
  • Re: convert sha1 pwd hash to use with userpwd/unicodePwd
    ... You can not set the hash nor force ADAM to to use a different format. ... You will need to set the userPassword with cleartext passwords. ... An existing ldap store uses the sha1 hashed userpassword attribute. ... I can always add it as a second attribute and when a user logs and I can match the sha1 hash, set their password to be what they entered using an admin binding, but Im curious if there is a much better way. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Using ADSIedit to set an ADAM users password
    ... I'm not sure why the MS folks decided to push SetPassword as the standard ... method to do password work in ADAM. ... > to allow use of userPassword is something that seems unpopular too, ... > everyone seems to use either SetPassword or encoding the unicodePwd. ...
    (microsoft.public.windows.server.active_directory)