Tim Hastings - NonHostile (because there's no need)

Weblog and collection of geeky articles.

  Home :: Who? :: Contact :: Links :: Subscribe subscribe
More Industrial Revelations with Mark Williams - God Be Praised!!Privacy Risk With Internet ExplorerNow Witness the Power of This Fully Armed and Operational Debian NSLU2

If you are doing LDAP integration work with Active Directory and you want to update a user's password via an LDIF script you need to specify the password attribute in a very specific way.

The sequence of steps is this:

  • Surround the password with speech marks, "like this"
  • Covert to bytes using the Unicode character encoding - a two byte code page which pads the low ASCII characters with 0
  • Encode using Base 64

So something like password becomes IgBzAGUAYwByAGUAdAAiAA==

This all sounds well and good, here's a code sample:

    Public Function FormatPassword(ByVal password As String) As String

        If password Is Nothing Then Throw New ArgumentNullException("password", "password cannot be nothing")

        ' enclose in speech marks
        password = String.Format("""{0}""", password)

        ' convert to bytes with unicode encoding
        Dim bytes() As Byte = Encoding.Unicode.GetBytes(password)

        ' convert to base 64
        Dim base64 As String = Convert.ToBase64String(bytes)
        Return base64

    End Function

Some sample passwords:

    admin     IgBhAGQAbQBpAG4AIgA=
    root      IgByAG8AbwB0ACIA
    password  IgBwAGEAcwBzAHcAbwByAGQAIgA=
    apple     IgBhAHAAcABsAGUAIgA=
    banana    IgBiAGEAbgBhAG4AYQAiAA==
    pencel    IgBwAGUAbgBjAGkAbAAiAA==

LDIF Set Password Script

To use this encoded password in an LDIF script, you will need to create LDIF fragments like this:

    dn: cn=timhastings,ou=Users,dc=example,dc=com
    changetype: modify
    replace: unicodePwd
    unicodePwd:: IgBwAGEAcwBzAHcAbwByAGQAIgA=

The double-colon is required on the unicodePwd attribute as it identifies that the data which follows is Base64 encoded.

To import this into Active Directory, you will need to use the ldifde command line too.

Password Policy

You must make sure your passwords meet the strength and history requirements of the systems password policy, otherwise you will receive the following error message:

    The server side error is: 0x52d Unable to update the password.
    The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
    The extended server error is: 0000052D: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0

ldifde Secure Connection

When settings passwords, Active Directory insists you use a secure connection otherwise you will get an Unwilling To Perform error like this:

    Add error on entry starting on line 1: Unwilling To Perform
    The server side error is: 0x1f A device attached to the system is not functioning.
    The extended server error is:            
    0000001F: SvcErr: DSID-031A11E5, problem 5003 (WILL_NOT_PERFORM), data 0

To specify a secure connection to LDAP, use ldifde like this:

    ldifde -i -f -h -v myscript.ldf

I hope this helps!

569 comments, Software, Thursday, October 22, 2009 20:34

Timeline Navigation for Software posts
VB.Net: How to Format unicodePwd for Active Directory LDIF Script for LDAP Import (this post, made Thursday, October 22, 2009 20:34)
The Ultimate Tools List (made 212 weeks earlier)


Post a Comment
Name:  Home page and email address are optional.
  Email addresses will not be displayed or spammed!
Remember these details
Home Page:
Comments cannot contain HTML, URLs will be formatted into hyperlinks.
I reserve the right to remove any comments for any reason.