Hello everyone, i comment yo you the situation in which I find myself. We are recently trying to migrate from samba version 3 to version 4. At the institution we have several applications that manage users. I have tried without success to change a user's password using ldap, that is, without going to samba-tool for this task. I read in several places that it might be possible by editing the unicodePwd attribute, and that the password must be in utf-16 in quotes. Before continuing trying, I just wanted to consult you, is it possible to change the user's password by editing any LDAP/AD property? I am working with a library (driver) of a programming language called elixir that so far has allowed me to edit the properties of a user without problems. My idea is to develop an interface that mediates between the developed applications and samba4. Sry. for my english. Thanks, any help is appreciated.
Hi Hernan, Yes, you can absolutely change an AD user's password via LDAP. You got it right; you need to edit unicodePwd which is UTF-16 encoded with quotes. Why not just go ahead and try it? Here's the official spec: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/6e803168-f140-4d23-b2d3-c3a8ab5917d2 Here's another reference: https://ldapwiki.com/wiki/UnicodePwd#section-UnicodePwd-TheSyntaxOfTheUnicodePwdAttribute Here's how the Python ldap3 extend.microsoft.modify_password() API implements it: https://github.com/cannatag/ldap3/blob/78c449dd/ldap3/extend/microsoft/modifyPassword.py#L46-L50 Jonathon On Fri, May 14, 2021 at 9:32 PM Hernan Jalabert via samba <samba at lists.samba.org> wrote:> > Hello everyone, i comment yo you the situation in which I find myself. We > are recently trying to migrate from samba version 3 to version 4. At the > institution we have several applications that manage users. I have tried > without success to change a user's password using ldap, that is, without > going to samba-tool for this task. I read in several places that it might > be possible by editing the unicodePwd attribute, and that the password must > be in utf-16 in quotes. Before continuing trying, I just wanted to consult > you, is it possible to change the user's password by editing any LDAP/AD > property? > > I am working with a library (driver) of a programming language called > elixir that so far has allowed me to edit the properties of a user without > problems. My idea is to develop an interface that mediates between the > developed applications and samba4. > > Sry. for my english. > > Thanks, any help is appreciated. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 15/05/2021 02:31, Hernan Jalabert via samba wrote:> Hello everyone, i comment yo you the situation in which I find myself. We > are recently trying to migrate from samba version 3 to version 4. At the > institution we have several applications that manage users. I have tried > without success to change a user's password using ldap, that is, without > going to samba-tool for this task. I read in several places that it might > be possible by editing the unicodePwd attribute, and that the password must > be in utf-16 in quotes. Before continuing trying, I just wanted to consult > you, is it possible to change the user's password by editing any LDAP/AD > property? > > I am working with a library (driver) of a programming language called > elixir that so far has allowed me to edit the properties of a user without > problems. My idea is to develop an interface that mediates between the > developed applications and samba4. > > Sry. for my english. > > Thanks, any help is appreciated.Perfectly possible, you can do it from bash. The password is created with this: _UNICODEPW=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) Then changed with an ldif like this: dn: $USERS_DN changetype: modify replace: unicodePwd unicodePwd::$_UNICODEPW Though I struggle to see what is wrong with using 'samba-tool user password'. Rowland