Change Password for a User Entry in LDAP

Changing an LDAP password depends on the directory type. In Active Directory (AD), you must use the unicodePwd attribute and an SSL connection. In non-AD environments, the userPassword attribute is typically used and does not require SSL.

There are two common approaches:

unicodePwd

• Required for password changes in Active Directory.
• Must be provided as a quoted Unicode byte array.
• Requires an SSL connection.
• By default, userPassword is a regular attribute in AD and cannot be used for password changes.

userPassword

• Used in non-AD directories (e.g., OpenLDAP, Novell).
• Writing to this attribute changes the password directly.
• In some configurations, it may act as an alias for unicodePwd (controlled by dsHeuristics).
• In ADAM, userPassword is an alias for unicodePwd by default.

Additional Notes

• If bound as an administrative user, the password can be changed using a single replace operation.
• If bound as the end user, the password must be deleted (old password) and then added again (new password).

Example (changing unicodePwd in AD):

public void ChangePassword(string dn, string newpassword)
{
  ldap1.DN = dn;   
  ldap1.AttrCount = 1;   
  ldap1.AttrType[0] = "unicodePwd";
  ldap1.AttrValueB[0] = System.Text.Encoding.Unicode.GetBytes("\"" + newpassword + "\"");
  ldap1.AttrModOp[0] = LdapsAttrModOps.amoReplace;
  ldap1.Modify();
  if (ldap1.ResultCode != 0) { /* report/handle error here */ }
  // for non-AD (ie Novell, OpenLdap, SunOne (iPlanet), etc):   // No SSL is required   /*
  ldap1.DN = dn;
  ldap1.AttrCount = 1;
  ldap1.AttrType[0] = "userPassword";
  ldap1.AttrValue[0] = newpassword;
  ldap1.AttrModOp[0] = LdapsAttrModOps.amoReplace;
  ldap1.Modify();
  if (ldap1.ResultCode != 0) { /* report/handle error here */ }
  */
}

This method ensures secure and proper password updates across different LDAP environments.