Changing (not setting) a user password trough LDAP


Paul Boven

Hi everyone,

I'm trying to create a little LDAP application to allow users to change
their Active Directory password. Unfortunately it keeps complaining
about 'CONSTRAINT_ATT_TYPE'. Any hints would be very much appreciated.
Please read on for what I've already tried so far.

I would like the application to only run with the credentials the user
supplied, so it should have no knowledge of the Administrator password.

According to Microsoft Knowledge Base article 26910 [1] this should be
possible by binding to the AD as the user in question, and then doing an
ldap_modify which both deletes the old and sets the new password. In
order to test this I've created a small LDIF file which should do just that.

This is the LDIF entry and how I'm trying to feed it to the AD:
(openldap) ldapmodify -x -W -H "ldaps://" -D "DOMAIN\\test"
-f changepass.ldif

dn: CN=test,OU=Users,DC=edu,DC=local
changetype: modify
delete: unicodePwd
add: unicodePwd
unicodePwd:: IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=

In this LDIF, the first unicodePwd corresponds to 'test123abc' and the
second to 'newPassword'. (Don't worry, these are not production
passwords). Actually, these strings are the base64-encoding of the
regular ASCII string, with each character alternated with a NULL byte.

We have password-complexity turned -off- at the moment. The encoding for
the passwords is certainly correct because I can use either in an
ldap_modify replace operation (as Administrator), and then bind as the
user in question using the new password.

Furthermore, the connection is over SSL, using the certificate that was
generated by the AD itself. The account is not disabled, and does not
have to change password at next login (userAccountControl: 512).

Unfortunately, despite all this, it just won't work:

ldap_modify: Constraint violation (19)
additional info: 0000052D: AtrErr: DSID-03190EFF, #1:
0: 0000052D: DSID-03190EFF, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 9005a (unicodePwd)

Are there any other requirements for having a user change his/her
account via LDAP that I've missed?

Any hints would be greatly appreciated.

Regards, Paul Boven.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question