Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unable to change user's password (Active Directory)

See original GitHub issue

Hi guys,

First, thank you for porting the code over to .Net core!

I’m having some issues with changing the user’s password using the LDAP modify methods. I receive one of the following errors, depends which route I take:

Binding as a domain admin and using LdapModification.REPLACE: Unwilling To Perform (53) Unwilling To Perform LdapException: Server Message: 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0
Binding as the user itself and using LdapModification.DELETE and LdapModification.ADD: Constraint Violation (19) Constraint Violation LdapException: Server Message: 00002081: AtrErr: DSID-03190FA0, #1: 0: 00002081: DSID-03190FA0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

Code exempts for both routes:

1): Binding as a domain admin:

string UserToChange = "CN=myUser,OU=InSome,OU=OU,DC=domain,DC=local"
LdapAttribute attribute = new LdapAttribute("unicodePwd", "\"myNewStrongPassword\"");
LdapModification modification = new LdapModification(LdapModification.REPLACE, attribute);

 _connection.Modify(UserToChange, modification);

Binding as the user:

string UserToChange = "CN=myUser,OU=InSome,OU=OU,DC=domain,DC=local"
LdapModification[]` modifications = new LdapModification[2];
LdapAttribute deletePassword = new LdapAttribute("unicodePwd", "\"myOldPassword\"");
modifications[0] = new LdapModification(LdapModification.DELETE, deletePassword);
LdapAttribute addPassword = new LdapAttribute("unicodePwd", "\"myNewStrongPassword\"");
modifications[1] = new LdapModification(LdapModification.ADD, addPassword);

 _connection.Modify(UserToChange, modifications);

Things I have checked and tried:

Convert the password to Unicode (UTF16-LE) byte array and then convert to a base64 string using the code below

string password = "\"myNewStrongPassword\"";
byte[] encodedBytes = Encoding.Unicode.GetBytes(password);
string encodedTxt = Convert.ToBase64String(encodedBytes);

Connect with SSL (this is the only way to perform actions on the unicodePwd field
Read various implementations on the web, most of them are Java and PHP which I found
The password myNewStrongPassword is valid against the AD password policies

If anyone has any idea or could point me in the right direction, that would be great! 😃

Issue Analytics

State:
Created 6 years ago
Comments:11

Top GitHub Comments

3reactions

gerwimcommented, Jun 26, 2017

I managed to fix this by doing the following:

Instead of:

string password = "\"myNewStrongPassword\"";
byte[] encodedBytes = Encoding.Unicode.GetBytes(password);
string encodedTxt = Convert.ToBase64String(encodedBytes);

Convert it to sbyte (and drop the string and base64 encoding):

string password = "\"myNewStrongPassword\"";
sbyte[] encodedBytes = SupportClass.ToSByteArray(Encoding.Unicode.GetBytes(password));
LdapAttribute deletePassword = new LdapAttribute("unicodePwd", encodedBytes);

1reaction

cjag74commented, Dec 29, 2022

Did below and it worked!

First, install SSL cert in AD then reboot AD server https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-install-ssl-certificates-in-active-directory.html

Second, verify LDAPS connection

After a certificate is installed, follow these steps to verify that LDAPS is enabled: Start the Active Directory Administration Tool (Ldp.exe). On the Connection menu, click Connect. Type the name of the domain controller to which you want to connect. Type 636 as the port number. Click OK. RootDSE information should print in the right pane, indicating a successful connection.

Third, install the NuGet package System.DirectoryServices.Protocols and use code below

using System.DirectoryServices.Protocols; public async Task<IActionResult> OnPostSubmit() {

    var ldapConnection = new LdapConnection(new LdapDirectoryIdentifier("abc.com", 636, true, false));
        ldapConnection.AuthType = AuthType.Basic;
        ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback((con, cer) => true);
        ldapConnection.SessionOptions.SecureSocketLayer = true;
        ldapConnection.Credential = new NetworkCredential("abc\\abcadmin", "AdminPassw0rd");
        ldapConnection.Bind();

        // Set the new password for the user
        string password = "NewPassw0rd";
        byte[] encodedPassword = Encoding.Unicode.GetBytes($@"""{password}""");

        DirectoryAttributeModification dirmod = new DirectoryAttributeModification();
        dirmod.Operation = DirectoryAttributeOperation.Replace;
        dirmod.Name = "unicodePwd";
        dirmod.Add(encodedPassword);

        ModifyRequest request = new ModifyRequest("CN=UserToChangeFor,CN=Users,DC=abc,DC=com", dirmod);

        // Execute the request to reset the password
        ModifyResponse response = (ModifyResponse)ldapConnection.SendRequest(request);

        return Page();

}