I am writing an ASP.NET Core 5 Web API (platform independent) to change the LDAP user password. I'm using the library Novell.Directory.Ldap
.
This is my code:
var ldapHost = "192/168.*.*";
var loginDN = "CN=something,DC=something"; //loginDn of the user itself or admin
var opassword = "Abcd@11111111"; //oldpassword
var npassword = "Xyzw@22222222"; //newpassword
npassword = '"' + npassword + '"';
LdapConnection conn = new LdapConnection();
Console.WriteLine("Connecting to:" + ldapHost);
conn.Connect(ldapHost, LdapConnection.DefaultPort);
conn.Bind(loginDN, opassword);
LdapModification[] modifications = new LdapModification[2];
LdapAttribute deletePassword = new LdapAttribute("userPassword", opassword);
modifications[0] = new LdapModification(LdapModification.Delete, deletePassword);
LdapAttribute addPassword = new LdapAttribute("userPassword", npassword);
modifications[1] = new LdapModification(LdapModification.Add, addPassword);
conn.Modify(loginDN, modifications);
I am testing this code for a Windows AD domain as well as Linux OpenLDAP. Both LDAP server's users have the attribute property userPassword
present.
When I run this code LdapModification.ADD
throws an error that No such attribute userPassword.
when I try to find the solution I get people using attribute unicodePwd
, but it needs an SSL connection.
Is the SSL connection a must for AD domains and Open LDAP? Or how else to solve the above error? Please help.
While AD has a userPassword
attribute, it's just a pointer to the unicodePwd
attribute, which is the real password attribute. But userPassword
doesn't always work, as described in the documentation . For Active Directory, you're better off using unicodePwd
directly.
The documentation for unicodePwd
says that you require either SSL or SASL encryption to set the attribute. SASL would usually be done with Kerberos. If you were using DirectoryEntry
, that's easily done by specifying AuthenticationTypes.Sealing
. With Novell.Directory.Ldap
, I don't know if that's possible, and this open issue suggests that it isn't (yet).
Unless you're willing to switch to using Sytem.DirectoryServices
(which, in .NET Core, would lock you into running your app on Windows only), then I think you are stuck requiring SSL.
The unicodePwd
attribute also requires a very specific format. The documentation says:
the DC requires that the password value be specified in a UTF-16 encoded Unicode string containing the password surrounded by quotation marks, which has been BER-encoded as an octet string per the Object(Replica-Link) syntax.
In C#, that's easily done like this:
Encoding.Unicode.GetBytes("\"NewPassword\"")
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.