Change LDAP password?

There are two common ways to change a user password - through the userPassword and unicodePwd attributes. Here's the basic breakdown:
  1. userPassword
    • If you're not using AD, this is all there is to it. "userPassword" will be a write-only attribute that when set, will change the password for the user. If you are using AD, read on...
    • If "userPassword" is a regular password, you can read it and write it but not bind with it.
    • If "userPassword" is instead defined as an alias for "unicodePwd", then you can write to "userPassword" directly and bind with that value (in this case "userPassword" will be write-only).
    • Whether ?userPassword? is a regular password or an alias for ?unicodePwd? is controlled by the 9th bit of dsHeuristics.
    • In ADAM, "userPassword" is defined as an alias for unicodePwd by default.
    • You must use an SSL connection in order for this to work with AD!
  2. unicodePwd
    • In AD, by default "userPassword" is a regular attribute and you'll have to use "unicodePwd" instead.
    • If you use "unicodePwd", you must set it as a quoted unicode byte array.
    • You must use an SSL connection in order for this to work with AD (you may be able to turn that requirement off off with dsHeuristics as well)
Note that in both situations above, an SSL connection is required in order to remotely change the password with AD.

If you're bound as an administrative user, you can simply do this password change in one replace command. If you're bound as the end user, you'll have to delete the attribute (using the current password) and then add it back (using the new one).

For example: public void ChangePassword(string dn, string newpassword) { ldap1.DN = dn; ldap1.AttrCount = 1; ldap1.AttrType[0] = "unicodePwd"; ldap1.AttrValueB[0] = System.Text.Encoding.Unicode.GetBytes("\"" + newpassword + "\""); ldap1.AttrModOp[0] = LdapsAttrModOps.amoReplace; ldap1.Modify(); if (ldap1.ResultCode != 0) { /* report/handle error here */ } //for non-AD (ie Novell, OpenLdap, SunOne (iPlanet), etc): //No SSL is required /* ldap1.DN = dn; ldap1.AttrCount = 1; ldap1.AttrType[0] = "userPassword"; ldap1.AttrValue[0] = newpassword; ldap1.AttrModOp[0] = LdapsAttrModOps.amoReplace; ldap1.Modify(); if (ldap1.ResultCode != 0) { /* report/handle error here */ } */ }

We appreciate your feedback.  If you have any questions, comments, or suggestions about this article please contact our support team at kb@nsoftware.com.