Geeks With Blogs
Welcome to Geeks with Blogs
Lance Robinson
599 Posts | 849 Comments
Post Categories
Archives
Lance's TextBox
<< New version of NukeSyndicate released (DNN Podcasting Module) | Home | AdWords API - 404 Not Found >>
LDAP Authentication and Password Management
Using LDAP to authenticate users is common, fast, and easy way to do. A while back I wrote a tutorial about how this can be done in a web app using the IP*Works! LDAP component. This particular article was written using VB.Net code samples. Some people ask me for classic ASP code samples, here you go.

Lots of people ask about how to change an Active Directory (orADAM) user password over LDAP. With Novell, SunOne, and OpenLdap, its not so difficult as long as you have the administrator permissions necessary to make the change. With Active Directory it is a mystery that many have struggled with. I think just about every day in the newsgroups somebody asks how to do this.

There are two common ways to change a user password - through the userPassword and unicodePwd attributes. Here's the basic breakdown:

  1. userPassword
    • If you're not using AD, this is all there is to it. "userPassword" will be a write-only attribute that when set, will change the password for the user. If you are using AD, read on...
    • If "userPassword" is a regular password, you can read it and write it but not bind with it.
    • If "userPassword" is instead defined as an alias for "unicodePwd", then you can write to "userPassword" directly and bind with that value (in this case "userPassword" will be write-only).
    • Whether “userPassword“ is a regular password or an alias for “unicodePwd“ is controlled by the 9th bit of dsHeuristics.
    • In ADAM, "userPassword" is defined as an alias for unicodePwd by default.
    • You must use an SSL connection in order for this to work with AD!
  2. unicodePwd
    • In AD, by default "userPassword" is a regular attribute and you'll have to use "unicodePwd" instead.
    • If you use "unicodePwd", you must set it as a quoted unicode byte array.
    • You must use an SSL connection in order for this to work with AD (although from what I understand you may be able to turn that off with dsHeuristics as well. Does anyone have more info on that?)

Note that in both situations above, an SSL connection is required in order to remotely change the password with AD.

If you're bound as an administrative user, you can simply do this password change in one replace command. If you're bound as the end user, you'll have to delete the attribute (using the current password) and then add it back (using the new one).

 

Update: Added link to classic asp instructions. Posted on Friday, August 19, 2005 3:27 PM Programming | Back to top

Related Posts on Geeks With Blogs Matching Categories

Comments on this post: LDAP Authentication and Password Management

# re: LDAP Authentication and Password Management
Requesting Gravatar...
I have one doubt. Does endian order matters when setting unicodePwd? As I see that encrypting password in platform specific endian-order is required for MS-AD but not for other Directory Servers like SUN ONE, OPENLDAP, NOVELL etc.
Please do reply.
Left by sree nagesh on Jun 27, 2006 2:16 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Thats right, AD wants little endian.
Left by Lance on Jun 27, 2006 6:40 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
I tried to change the password of an user on an ADS ( over ssl ) by binding as to the administrator of that ADS . But while modifying the unicodePwd Its showing the error :
ldap_modify_s: Server is unwilling to perform (53)
additional info: 0000001F: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0

Can anyone please tell me what is wrong in the way i did .
Left by siril on Jul 26, 2006 3:41 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
I'm trying to code an LDAP login in ASP.Net 2.0 using the MS Login control. This necessitates a custom provider. I'm trying to write my own ValidateUser method using the IP*Works LDAPS component. I haven't had much luck yet. Have you tried this yet?
Left by Bob on Aug 21, 2006 7:30 PM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Yes, you can do this with the IP*Works! LDAPS component. You're trying to authenticate with AD? ADAM? Send me an email.
Left by Lance on Aug 22, 2006 6:25 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
can add users successfully but now I want to verify the these user against LDAP.



I am adding users on root as you said.



Her connection string is a root path.



DirectoryEntry de = new DirectoryEntry(_ConnectionInfo.ConnectionString, user.DistinguishedName, Password, (AuthenticationTypes)_ConnectionInfo.AuthenticationType);



But it throws an exception saying that “user name or password is bad”

Left by prashant on Jan 02, 2007 8:07 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
hi,
i'm using ADAMand in the ADAM ADSI edit utility there is an option of right clicking a uer and resetting his password. which parameter / attribute is getting affected here?
it is neither the userpassword nor the unicodePwd . i am also able to successfully bind to adam using that password. how cani change it over LDAp?
Left by HoRRoR on Jan 23, 2007 10:06 PM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
in ADAM it should be unicodePwd, although as mentioned above userPassword can exist there as an alias.
Left by Lance on Jan 24, 2007 8:10 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Hi everyone
I want to change password root in LDAP, but this root is in another node, Can everyone help me?
Left by Denis Sevostianov on Apr 12, 2007 10:56 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
I want to know how to retrieve a password from ldap. Is it possible?
Left by sharan on Dec 27, 2007 7:05 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Sharan, it depends on the server - but you should not do it. Instead, the user should GIVE his password. If the user doesn't know the password, they should change it (search this blog for how to change the password).
Left by Lance on Dec 27, 2007 8:58 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Questions:
can i change the password with the same as the login name in LDAP ??
i became a javax.naming.AuthentificationException.

Thank for yours help.

Left by Norma on Jul 22, 2008 9:17 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
If you userpassword is a regular password could you then read it? How? In .Net for example.
You (Lance) says it depends on tne server. How do you mean? The windows version.

If I use SetPassword and ChangePassword in .Net and userpassword is a regular password does it get updated automatically?
Left by René on Apr 17, 2009 11:37 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
I have this code that validates the username in LDAP

Try
With oSearcher
.SearchRoot = New DirectoryEntry("LDAP://" & ldapServerName)
.PropertiesToLoad.AddRange(ResultFields)
.SearchRoot.AuthenticationType = AuthenticationTypes.ServerBind
.Filter = "cn=" & pFindWhat
.SearchRoot.Password = "WESM"
oResults = .FindAll()
End With
'oResult.GetDirectoryEntry.Password
mCount = oResults.Count
If mCount > 0 Then
For Each oResult In oResults
mLDAPRecord = oResult.GetDirectoryEntry().Properties("cn").Value & " " & oResult.GetDirectoryEntry().Properties("mail").Value

MsgBox(oResult.GetDirectoryEntry().Properties("userPassword").Value & " " & oResult.GetDirectoryEntry().Properties("unicodePwd").Value)
RetArray.Add(mLDAPRecord)
Next
End If
Catch e As Exception

MsgBox("Error is " & e.Message)
Return RetArray

End Try


However, even if I put a blank password, it will still validate that there is an existing user. HOw will I use both username and password for checking? Need help.
Left by Mayet on Oct 18, 2009 2:53 PM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
If it works without a password, that means you're binding anonymously. If you want to authenticate a user, just require a non-empty password.
Left by Lance Robinson on Oct 19, 2009 12:38 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
I mean, if I have tried to enter a blank password, it can find an existing user and validates it. But if I supply a password, lets say wrong password, it tells me a message "There is no such object". I just would like to know how will i check if its really correct. Is there a property for the password (like the properties("cn"))?
Left by Mayet on Oct 19, 2009 12:24 PM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Hi all, I am using Cognos with Sunone LDAP.

I have a .Net website allowing users to reset passwords. This is done by binding as the Directory Manager and finding the user and replacing the value for userPassword within the LDAP.....all ok so far and it does that.

However when going into Cognos and trying to login with the changed password above it does not seem to work, but does with the old password. I have noticed the Cognos Access Manager seems to change the authPassword entry in the LDAP.

Any ideas ?
Left by Kets on Jan 27, 2010 7:06 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Kets, I am trying to do the exact same thing! Have you had any luck? If I figure it out I will post the solution here.
Left by Chris on Mar 18, 2010 10:57 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
We're considering moving from OpenLDAP to AD. I can extract the userPassword from OpenLDAP as a salted hashed string {ssha}blabla... My question is, can I then set this password as is in the userPassword attribute of AD with write-alias activate and have that update the unicodePwd attribute automatically? Basically is there any way I can transfer the user passwords from OpenLDAP to AD?
Thanks.
Left by Ian on Feb 08, 2011 4:05 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
So, has anyone actually got a working VB.Net utility that will allow a user to reset their AD password? I want to be able to use a tool that allows the user to reset/change their password. I do not want to use the system tool provided by Microsoft.
Left by Ian Peake on Feb 17, 2011 11:21 AM
# re: LDAP Authentication and Password Management
Requesting Gravatar...
Ian, did you even work out if you could set userPassword?
Left by Scott on Nov 16, 2011 5:24 PM
Your comment:
 (will show your gravatar)

Copyright © Lance Robinson | Powered by: GeeksWithBlogs.net


Popular Posts on Geeks with Blogs 0
Geeks With Blogs Content Categories ASP.Net SQL Server Apple Google SharePoint Windows Visual Studio Team Foundation Server Agile Office Design Patterns Web Azure
Brand New Posts on Geeks with Blogs 0