LDAP Constraint Violation When Changing Password in AD through ldapmodify

Asked 3/4, 2012 at 8:18 Answered 3/1, 2016 at 15:41

Solved active-directory ldap openldap adldap

I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way. In order to change the password I am currently stuck figuring out how to use ldapmodify to do so. After a lot of reading on different sites/forums/newsgroups I am much more confused than before

However: I try the following command to do so:

ldapmodify -f ldif.example -H ldaps://lab01-dc01.example.com -D 'CN=test,CN=users,DC=lab01,DC=example,DC=com' -x -W

The contents of the ldif.example:

dn: CN=test,CN=Users,DC=lab01,DC=example,DC=com
changetype: modify
delete: unicodePwd
unicodePwd:: V3VQdXV1STEyLg==
-
add: unicodePwd
unicodePwd:: QmxhVVVraTEyLg==
-

(Don't worry - those passwords are not used anywhere and it is not a production envoirenment)

Now - every time I execute the command I get the following error:

modifying entry CN=test,CN=Users,DC=lab01,DC=example,DC=com"
ldapmodify: Constraint violation (19)
 additional info: 0000216C: AtrErr: DSID-03190EB0, #1:
 0: 0000216C: DSID-03190EB0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)

Now, after what I read the reason for this error is either that the password is badly formatted or that the password policy doesn't allow the password I used. I checked the policy - multiple times now - and the new password definetly complies to the policy by all the criteria. If I set the password using a Windows-machine it also works well (of course I changed the "oldpassword" and "newpassword" afterwards since I am not allowed by the policy to change to an earlier password). The password I enter after passing the "-W" option to ldapmodify is also definetly right, otherwise the error spit out by ldapmodify is that I used invalid credentials instead of a constraint violation. So - the sole reason I can think of is indeed a bad formatted password - but I can't figure out where the bad formatting should come from since I use the normal base64 algorythm to encode the password.

Has anyone an idea what is going on? Can anyone push me in the right direction?

Help is very appreciated and I thank you in advance.

Edit: Something which bugs me: When I run the base encoded strings through base64 it keeps telling me "Invalid Input". Now - I went ahead and just re-coded the passwords with the use of base64 on the linux machine - but when I run the generated string through the decode function again, base64 keeps telling me "Invalid Input"... The strings however slightly changed between the windows-base64 encoded string and the linux encoded string. But base64 just says "Invalid input" no matter what I put in there.

Edit2: Nevermind - reading the purpose of the function I gather that it throws this error because of the dots and the exclamation mark in the password.

Mundt answered 3/4, 2012 at 8:18 Comment(3)

I'm not sure you should be doing any encoding at all. The LDAP server should do that. Try supplying both passwords in plain text. – Scratches 4/4, 2012 at 1:39

Yes, indeed - without encoding the password it seems to work fine. Just like I said: I read a lot about this topic and everything I read suggested that I have to use an encoded string to modify the password. Obviously - this is not quite true. Thanks! – Mundt 4/4, 2012 at 7:58

For me personally, I got 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd) when my user was disabled. – Hernando 9/12, 2022 at 3:13

When setting the password, it needs to be UTF-16LE and Base64 encoded. In Java, it could be done with:

String source = "\"car\"";
String utf16base64 = new String(Base64.getEncoder().encode(source.getBytes("UTF-16LE")));

UTF-16LE has to be used, UTF-16 is not enough.

Changing 'unicodePwd' over LDAP requires that the new password is a Unicode string with double quotes. It means when you want to set a new password(Password01!) convert the password with double quotes("Password01!") into Base64.

An online tool can be used - http://www5.rptea.com/base64/ (select UTF-16).

Details about unicodePwd are there - https://technet.microsoft.com/en-us/magazine/ff848710.aspx .

Earthenware answered 3/1, 2016 at 15:41 Comment(0)

For future reference, if anyone should encounter similiar problems: The simple solution? Just use smbpasswd instead of ldap to change the password - that works flawless! I am really grumped that I didn't think of it before :D

However - the way to change your password in the active directory using samba (using CentOS):

~#yum install samba
~#smbpasswd -r domaincontroller.example.com -U testuser1
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user testuser1 on domaincontroller.example.com

And then you can login using the new password. Easy as that, really.

Mundt answered 4/4, 2012 at 7:54 Comment(0)

When setting the password, it needs to be UTF-16LE and Base64 encoded. In Java, it could be done with:

String source = "\"car\"";
String utf16base64 = new String(Base64.getEncoder().encode(source.getBytes("UTF-16LE")));

UTF-16LE has to be used, UTF-16 is not enough.

An online tool can be used - http://www5.rptea.com/base64/ (select UTF-16).

Details about unicodePwd are there - https://technet.microsoft.com/en-us/magazine/ff848710.aspx .

Earthenware answered 3/1, 2016 at 15:41 Comment(0)

Constraint error could mean you use an old password that does not conform to the policy of, say, cannot use the last 24 passwords.

For future reference: Connect to AD server (bind):

as Admin: you can change and reset passwords for everyone. There is a difference between change and reset. Change = AD will enforce the password policy. Reset = does not.
as a User: you may change your password but are not allowed to reset it. Change = AD will enforce the password policy.

Hope it helps though it's a little late!

Disingenuous answered 31/3, 2015 at 17:50 Comment(0)

What about fetching an existsing, working password from a different user and try to include that in your ldif?

This way you will be sure that your password is working.

Second, do not use delete/add use replace instead in the ldif. Maybe the delete will cause an objectclass violation errror.

Third, you only need to base64 encode an attribute if it is contain non-printable or special characters. There is an empty row in the end of the ldif file.

dn: CN=test,CN=Users,DC=lab01,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd: BlaUUki12.

Regards,

Riptide answered 4/4, 2012 at 7:4 Comment(3)

Thanks for your answer - replace indeed works fine, but the problem is that I have to use a admin-bind in order to use the replace function. But that is probably okay, I'll just create another account. Since I solved it with smbpasswd instead of LDAP technically I don't need it anymore - but I'll do it anyway since I'm currently digging into LDAP. Thanks again! – Mundt 4/4, 2012 at 7:56

This is a old question but replace is only for admin and not users – Oppress 24/5, 2012 at 14:29

As indicated, replace does not work for the user to replace their own password. This should not be the accepted answer. – Flaunty 6/3, 2015 at 23:39

yum install samba didn't work for me as it installed smbpasswd program from samba version 3.6.9.

What worked was yum install samba4-client. This installs smbpasswd program for Samba 4 and this version of smbpasswd actualy can change password on Windows Server 2008 R2 Domain Controller. I used samba4-client as I don't need the Samba server only it's client utilities.

The syntax for the smbpasswd command is the same:

smbpasswd -r domaincontroller.example.com -U testuser1

Hope this helps.

Veneer answered 23/7, 2013 at 14:49 Comment(0)

Recommended topics

Hot tags