I'm wondering what format I need to put hashes in to write to userPassword via LDAP. Apache Directory Studio gives me several options, but I don't think any of them are it. Can anyone document the proper encoding and algorithms used by default for AD 2003r2?
Asked
Active
Viewed 2,478 times
2 Answers
10
You can't write password hashes into the Active Directory via LDAP. You can update the "unicodePwd" attribute via LDAP over SSL. (If you're not using SSL you'll get back a "The server is unwilling to process the request." error 0x80072035).
There's no "supported" mechanism for writing raw hashes into the Directory, though.
Evan Anderson
- 141,881
- 20
- 196
- 331
3
This KB article indicates that you can write the password as a unicode octet-string (of the plaintext password) to a user's unicodePwd attribute. It's described for Windows 2000, but as far as I know this hasn't changed.
This blog post includes a Perl script which implements the process, and which you can look to for more details. Here's another example in Java.
I think the userPassword attribute is an alias for unicodePwd, but I don't actually know if that's true.
Note: You must use an SSL connection to LDAP to update a user's password; AD will not permit password updates over an unencrypted channel.
Handyman5
- 5,257
- 26
- 30
-
While correct, managing with Powershell is much easier than Perl or Java Scripts. – HostBits Jun 07 '11 at 03:35