Re: LDIFDE Error when trying to change passwords.

Thank you for the reply Joe, the question is why am I recieving the errir
that I am

A device attached to the system is not functioning,

is it because I am not ussing SSL, here is the code that I am using

dn: CN=testuser,OU=example,DC=example,DC=local
changetype: modify
replace: unicodePwd
unicodePwd:"cGFzc3dvcmQ="
-

"Joe Kaplan" wrote:

I'm a little confused about what you guys are talking about at this point.
It is definitely possible to set passwords via LDAP using LDIFDE and a bunch
of other programmatic approaches. There are two main considerations for
this:

When setting the unicodePwd attribute, you must provide binary (octet
string) data that is the password enclosed in double quotes encoded in
unicode (UTF-16). That's the format unicodePwd wants. It is weird, but
that's what it is.

LDAP password mods must be done via a secure channel with at least 128 bit
cipher strength. On Win2K AD, you can only get this with SSL. On 2K3 AD,
you can actually get this if SASL bind and Windows SSPI channel encryption,
as SSPI was improved to support 128 bit cipher strength in 2K3 and XP. This
is a bonus, as no SSL is required.

There is actually a nifty shortcut for doing a set password operation in
ldp. Against a 2K3 AD, if you bind with secure bind using an account with
reset password permissions and set the bind to encrypt channel after
connection, you have all the rights and cipher strength you need. Then,
when doing the modify operation against the unicodePwd attribute, you just
specify a replace operation and use this special value to get the unicode:

\UNI:"ThePassword!!"

(or whatever value you want to use...)

And ldp will do the conversion to unicode encoding for you. It is nifty.

The trick with LDIF is simply getting the appropriate string translated to
Base64 and setting the appropriate connection flags.

You can also do password changes by batching a remove op (with the old
password) and an add op (with the new password).

It is actually pretty simple once you know the core rules and know how to
get your tool to execute them.

The comment about unicodePwd being just a hash is not really correct.
unicodePwd is a "write-only" attribute that allows you to specify the
password in plain text using a very specific set of formatting rules and
requiring specific channel encryption. The way the password values are
actually stored in the DIT is a whole other thing entirely, but you can't
read unicodePwd (or any other attribute that might represent the password
like userPassword), so that doesn't really matter from a programming
standpoint. It is a black box.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"JBaxter" <JBaxter@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A202D881-0574-4FEA-94F7-47499D3FA11A@xxxxxxxxxxxxxxxx
The link that you provide is where I got the code in the first place and I
am
using a base-64 encoder to encode the password. Where exactly is the
error
in the code?

"strongline" wrote:

Password doesn't work that way. UnicodePwd is just a hash value. Please
see

http://support.microsoft.com/default.aspx?scid=kb;en-us;263991

JBaxter wrote:
I am trying to update user passwords with the LDIFDE tool and I am
recieving
an error, I am running a completely patched 2003 server, the Domain
Pass
Security is:
Enforce History Not Defined
Max Age Not Defined
Min Age Not Defined
Min Length 6 char
Pass Complexity Disabled
Store Pass Disabled

The file that I am using is:

dn: CN=testyser,OU=example,DC=example,DC=local
changetype: modify
replace: unicodePwd
unicodePwd:cGFzc3dvcmQ=
-

Everytime I run this I recieve an error:

Connecting to "tldntestjb.techlawtest.local"

Logging in as current user using SSPI

Importing directory from file "changpass.ldif"

Loading entries
1: CN=Jed Baxter,OU=TLI Holdings,DC=techlawtest,DC=local
Entry DN: CN=testuser,OU=exanoke,DC=example,DC=local
changetype: modify
Attribute 0) unicodePwd:cGFzc3dvcmQ=

Add error on line 1: Unwilling To Perform

The server side error is "A device attached to the system is not
functioning."

0 entries modified successfully.

An error has occurred in the program

If I use LDIFDE to import a user without the password string the
command
completes.

Any help would be appreciated.

Jed Baxter





.

Relevant Pages