search for: unicodepwd

...024-10-28 12:50: > > On Mon, 28 Oct 2024 12:17:02 +0100 > > William David Edwards via samba <samba at lists.samba.org> wrote: > > > >> I think I might've found a solution while debugging. > >> > >> To understand what I'm doing wrong with `unicodePwd`, I'm trying to > >> get the LDAP request that LAM does, and compare it to mine. > >> > >> As I temporarily switched to an unencrypted connection to be able > >> to dump the payload without a MTIM, Samba -rightfully- says: > >> > >> "...

Hi all I am trying to create a webapp to allow users to change their own passwords in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify the user password using this code: dn: ........ changetype: modify replace: unicodePwd unicodePwd: "Temporal2" I get this error: 0x32 (Insufficient access; error in module acl: insufficient access rights during LDB_MODIFY (50)) If I change the code, deleting the old password, and adding the new one: dn: ........ changetype: modify delete: unicodePwd unicodePwd: "Te...

...d Penny via samba schreef op 2024-10-28 12:50: > On Mon, 28 Oct 2024 12:17:02 +0100 > William David Edwards via samba <samba at lists.samba.org> wrote: > >> I think I might've found a solution while debugging. >> >> To understand what I'm doing wrong with `unicodePwd`, I'm trying to >> get the LDAP request that LAM does, and compare it to mine. >> >> As I temporarily switched to an unencrypted connection to be able to >> dump the payload without a MTIM, Samba -rightfully- says: >> >> "Password modification over LDA...

...gt; > On Mon, 28 Oct 2024 12:17:02 +0100 >> > William David Edwards via samba <samba at lists.samba.org> wrote: >> > >> >> I think I might've found a solution while debugging. >> >> >> >> To understand what I'm doing wrong with `unicodePwd`, I'm trying to >> >> get the LDAP request that LAM does, and compare it to mine. >> >> >> >> As I temporarily switched to an unencrypted connection to be able >> >> to dump the payload without a MTIM, Samba -rightfully- says: >> >> &g...

Hi, I'm tying to set user's LDAP passwords using LDAP. `samba-tool user setpassword` does so by setting the write-only `unicodePwd` attribute, but turning it into binary and Base64-encoding it first: ``` if not isinstance(password, str): pw = password.decode('utf-8') else: pw = password pw = ('"' + pw + '"').encode('utf-16-le') setpw = """ dn: %s changetype:...

...t; William David Edwards via samba <samba at lists.samba.org> wrote: > > > >> Hi, > >> > >> I'm tying to set user's LDAP passwords using LDAP. > >> > >> `samba-tool user setpassword` does so by setting the write-only > >> `unicodePwd` attribute, but turning it into binary and > >> Base64-encoding it first: > >> > >> ``` > >> if not isinstance(password, str): > >> pw = password.decode('utf-8') > >> else: > >> pw = password > >> pw = ('&q...

On Mon, 28 Oct 2024 12:17:02 +0100 William David Edwards via samba <samba at lists.samba.org> wrote: > I think I might've found a solution while debugging. > > To understand what I'm doing wrong with `unicodePwd`, I'm trying to > get the LDAP request that LAM does, and compare it to mine. > > As I temporarily switched to an unencrypted connection to be able to > dump the payload without a MTIM, Samba -rightfully- says: > > "Password modification over LDAP must be over an encry...

...ists.samba.org> wrote: >>>> >>>>> Hi, >>>>> >>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>> >>>>> `samba-tool user setpassword` does so by setting the write-only >>>>> `unicodePwd` attribute, but turning it into binary and >>>>> Base64-encoding it first: >>>>> >>>>> ``` >>>>> if not isinstance(password, str): >>>>> pw = password.decode('utf-8') >>>>> else: >>>>...

On Sun, 27 Oct 2024 13:58:56 +0100 William David Edwards via samba <samba at lists.samba.org> wrote: > Hi, > > I'm tying to set user's LDAP passwords using LDAP. > > `samba-tool user setpassword` does so by setting the write-only > `unicodePwd` attribute, but turning it into binary and > Base64-encoding it first: > > ``` > if not isinstance(password, str): > pw = password.decode('utf-8') > else: > pw = password > pw = ('"' + pw + '"').encode('utf-16-le') > &...

...Sun, 27 Oct 2024 13:58:56 +0100 > William David Edwards via samba <samba at lists.samba.org> wrote: > >> Hi, >> >> I'm tying to set user's LDAP passwords using LDAP. >> >> `samba-tool user setpassword` does so by setting the write-only >> `unicodePwd` attribute, but turning it into binary and >> Base64-encoding it first: >> >> ``` >> if not isinstance(password, str): >> pw = password.decode('utf-8') >> else: >> pw = password >> pw = ('"' + pw + '"').encod...

...org> wrote: > >> > > >> >> Hi, > >> >> > >> >> I'm tying to set user's LDAP passwords using LDAP. > >> >> > >> >> `samba-tool user setpassword` does so by setting the write-only > >> >> `unicodePwd` attribute, but turning it into binary and > >> >> Base64-encoding it first: > >> >> > >> >> ``` > >> >> if not isinstance(password, str): > >> >> pw = password.decode('utf-8') > >> >> else: > &...

...via samba <samba at lists.samba.org> wrote: >> > >> >> Hi, >> >> >> >> I'm tying to set user's LDAP passwords using LDAP. >> >> >> >> `samba-tool user setpassword` does so by setting the write-only >> >> `unicodePwd` attribute, but turning it into binary and >> >> Base64-encoding it first: >> >> >> >> ``` >> >> if not isinstance(password, str): >> >> pw = password.decode('utf-8') >> >> else: >> >> pw = password...

...dwards via samba <samba at lists.samba.org> wrote: >>> >>>> Hi, >>>> >>>> I'm tying to set user's LDAP passwords using LDAP. >>>> >>>> `samba-tool user setpassword` does so by setting the write-only >>>> `unicodePwd` attribute, but turning it into binary and >>>> Base64-encoding it first: >>>> >>>> ``` >>>> if not isinstance(password, str): >>>> pw = password.decode('utf-8') >>>> else: >>>> pw = password >&...

...>>>>> >>>>>> Hi, >>>>>> >>>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>>> >>>>>> `samba-tool user setpassword` does so by setting the write-only >>>>>> `unicodePwd` attribute, but turning it into binary and >>>>>> Base64-encoding it first: >>>>>> >>>>>> ``` >>>>>> if not isinstance(password, str): >>>>>> ???? pw = password.decode('utf-8') >>>>>>...

...t;> Hi, >>>>>>>> >>>>>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>>>>> >>>>>>>> `samba-tool user setpassword` does so by setting the write-only >>>>>>>> `unicodePwd` attribute, but turning it into binary and >>>>>>>> Base64-encoding it first: >>>>>>>> >>>>>>>> ``` >>>>>>>> if not isinstance(password, str): >>>>>>>> ???? pw = password.decode(&...

...;>>>>>> >>>>>>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>>>>>> >>>>>>>>> `samba-tool user setpassword` does so by setting the write-only >>>>>>>>> `unicodePwd` attribute, but turning it into binary and >>>>>>>>> Base64-encoding it first: >>>>>>>>> >>>>>>>>> ``` >>>>>>>>> if not isinstance(password, str): >>>>>>>>> ???? p...

...>>>>>> Hi, >>>>>>> >>>>>>> I'm tying to set user's LDAP passwords using LDAP. >>>>>>> >>>>>>> `samba-tool user setpassword` does so by setting the write-only >>>>>>> `unicodePwd` attribute, but turning it into binary and >>>>>>> Base64-encoding it first: >>>>>>> >>>>>>> ``` >>>>>>> if not isinstance(password, str): >>>>>>> ???? pw = password.decode('utf-8') &gt...

Hi Thanks all for your responses. The users can now change their own password adding and removing the unicodePwd attribute, using the correct method to generate the password value. Now, I have a problem, because the users who have the option to force to change the password in the next login checked, can't bind to the LDAP server in order to change their password. Is there any way to do this, using LDAP(s...

Hi, Thank you for this answer, unfortunately I was not able to re-hash password as they are hashed into LDB database. First I retrieved the hash: ldbsearch -H $sam '(cn=some user)' unicodePwd # record 1 dn: CN=some user,OU=Users Management,DC=ad,DC=example,DC=com unicodePwd:: COwwLgiqqaHRyhy4HxWp4A== This "unicodePwd" attribute comes from a quick search into "user" class: ldbsearch -H $sam -b 'CN=SCHEMA,CN=CONFIGURATION,DC=AD,DC=EXAMPLE,DC=COM' '(&(...

...d: replace userPassword: newPassword modifying entry "CN=John Smith,cn=Users,DC=domain,DC=com" modify complete This seems to work, but does not affect user in any matter. As far as I managed to find out, is that userPassword is not native Active Directory attribute. You must use unicodePwd attribute instead. But then I get to another problem: dn: CN=John Smith,cn=Users,DC=domain,DC=com changetype: modify replace: unicodePwd unicodePwd: newPassword ldapmodify -v -c -a -f filename.ldif -H\ ldaps://server.domain.com -D\ administrator at domain.com -W ldap_initialize( ldaps://server....