3

I am trying to change the Active Directory (on a Windows 2008 server) from a CentOS 6.2 machine over openLDAP.

I have tried passwd, ldappasswd and trying to see if I can do it with Samba without the use of TSL/SSL/SASL. Is this possible?

Shiroi98
  • 283
  • 4
  • 5
  • 12
  • Windows requires TLS for the changing of passwords over LDAP. 2008 doesn't have TLS enabled for LDAP by default. – Phillip Nordwall Aug 31 '12 at 17:17
  • I implemented a web based solution for our linux and mac users to change there password via browser. I used the ldap tool box project - http://ltb-project.org/wiki/start. Keep in mind what Phillip mentioned you need to activate tls for the windows ldap server. – Izac Aug 31 '12 at 17:46

1 Answers1

6

No, the unicodePwd attribute will reject changes made if the connection is not secure.

It's also very finicky about formatting of the raw LDAP (UTF-16 for the password strings is required), as well as permission enforcement.

For resetting a password (changing it without knowing the old one), the user that bound to LDAP needs to have the "Reset Password" permission on the target user. If you're doing this, you must use the replace operation.

For changing a password (knowing the old and the new), you don't need to be bound to LDAP as any particular user (assuming that you've left the default permissions in place for "Change Password"). However, you need to send both a delete LDAP change with the correct old password, as well as an add type change with the new password, in the same operation.

See the documentation for the unicodePwd attribute for more information.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Hi Shane, I have activated Unix Attributes for my AD users, so I checked the unicodePwd attribute it is not set, but instead it uses the unixUserPassword attribute. Does the same apply? Requires a secure connection? – Shiroi98 Aug 31 '12 at 18:05
  • @Shiroi98 The `unicodePwd` attribute is still always the 'main' password for the user. It never returns any data when queried, so yes, it should appear unset. Are you trying to actually change the user's password, or just to modify the `unixUserPassword` attribute only, leaving the user's Windows password untouched? – Shane Madden Aug 31 '12 at 18:14
  • Hmm I didn't know they were different. So far I can login to AD using the same password set in AD from my CentOS machine, so I assumed it was the same. Also, according to that unicodePwd link, it said something about setting the DSHeuristic attribute to allow modification of the unicodePwd over a non-secure connection. Does this apply to my case? – Shiroi98 Aug 31 '12 at 18:21
  • @Shiroi98 There is an option to sync to the `unixUserPassword` attribute when `unicodePwd` is changed; if that's enabled then it explains the sync. And no, the only situation in which you can use `dSHeuristics` to override the encryption requirement is for AD Lightweight Directory Services. – Shane Madden Aug 31 '12 at 18:25
  • Hi, I found this password sync daemon listed on MS website: http://technet.microsoft.com/en-us/library/cc755186. I was wondering if this will work for my setup? However, I am running CentOS 6.2, and it is not listed as one of the OS. Is Redhat linux similar to CentOS? – Shiroi98 Sep 01 '12 at 00:45