Using LDAPJS to change password stores password differently from how Weblogic Console sets the password?

Question

I'm using ldapjs (3.0.0) to change the password of a user in a Weblogic LDAP directory.

I also have some legacy webservice (which I don't have access to source code).

The webservice API does the following:

    authenticate(username, password)
    changePassword(username, newPassword)

There's also a 3rd way I can modify the password:

    going into weblogic console, finding the user, and entering a new password.

I'd like to start using my new ldapjs code to modify the password as well as authenticate, however, for the time being, I'd also like to keep using the existing webservice API in other parts of my code.

Here's where I'm confused (stuck)

1. If I change the password using the legacy webservice API, I can authenticate the user using LDAPJS, AND the webservice API. Both work fine!

2. If I change the password through Weblogic console, same thing. I can authenticate using LDAPJS and the webservice API. Still, both work fine!

3. However, if I use ldapjs to modify the password (same user, same test password), I can authenticate the user in LDAPJS, but when I try to authenticate the username/password using the webservice API, it fails with "invalid password".

I don't have the source code for the legacy webservice API, so I'm trying to understand what might be causing the problem. Is it possible that changing the password via LDAPJS might be storing the password in a different format from how Weblogic console stores the password when you change the password through Weblogic console? And if so, would that cause the username/password to only authenticate through LDAPJS, but break the authentication piece through the webservice API?

In all my tests, I'm using the same user, username, realm, Weblogic LDAP server. The only difference is the method I'm using the change the the password.

This is my for changing the password looks like this.

export async function ldapChangePassword(username, password) {
  //create the client
  const ldapClient = ldap.createClient({
  url: 'ldap://' + LDAPURL,  //stored in env.local (root directory)
  timeout: 10000, //ms
  connectTimeout: 10000,
});

//bind to the server with a user authorized to perform the password change.
try{
  bindToAdmin(ldapClient);
}catch(err){
  ldapClient.unbind();      
  throw (err)
}finally{

}   

// Set the new password
const dn = `uid=${username},ou=people,ou=myrealm,dc=${DC}`;

const newPassword = 'abcd1234655';
console.log(`Changing password: ${username} ${newPassword}`);

const userPasswordAttribute = new ldap.Attribute({
  type: 'userPassword',
  vals: newPassword
});


  ldapClient.modify(dn, 
    [
      new ldap.Change({
        operation: 'replace',
        modification: userPasswordAttribute
      })
    ],  
    (err) => {
    if (err) {
      console.log(err);
    } else {
      console.log('Password change successful');
    }
    ldapClient.unbind();
  });

}

My output looks like this:

Changing password: myUserNameABC abcd1234655
Password change successful

Answer 1

Mmmmh actually it's strange, I used your code and it's working fineeee on the contrary you saved me, because I was using some code I found almost every where, that is like

new ldapjs.Change({
    operation: 'replace',
    modification: {
        userPassword: passwordNew
    }
})

but it's never worked for me, instead I tried your code with a small fix ("vals" is deprecated, so I used "values") and it's workeeeed and system gets to me same response that you have: "Password change successful" but after this, also trying to login with the new password, it works for me!

So I don't understand why it don't works totally for you are you sure that you are executing change psw and login with the same complete identical user dn???

Thank you, Daniel