Vladimir Dzhuvinov wrote:
> I'm working on a small Java package to assist users with changing their
> password in an LDAP directory. It should be usable with minimal
> knowledge about the exact server implementation and user schema.
> Ideally, the package would allow a password to be changed with just four
> parameters:
>
> 1. The LDAP server URL
> 2. The user DN
> 3. The current user password
> 4. The new user password
>
> I began coding a method to auto-detect the proper password change procedure.
>
> I'm now able to check for the availability of an LDAPv3 "Password
> modify" extended operation (RFC-3062) which covers all recent OpenLDAP
> implementations. Failing this check, I'm also able to detect the
> "userPassword" attribute and whether it has a hash applied to it (by
> looking for an "{MD5}", "{SHA}", etc. prefix), which should cover other
> "standard" LDAP directories.
Note that different use-cases are handled differently on various LDAP servers.
E.g. Novell eDirectory requires to use MOD_DEL oldpassword, MOD_ADD
newpassword when the user is changing his own password.
Some servers require that old password is provided when the user changes own
password when using Password Modify ext.op. some don't.
> What is left now is detection of MS Active Directory servers, which have
> their own "unicodePwd" attribute and password change policy. But how to
> detect that? According to the MS spec the "unicodePwd" cannot be read or
> queried. Also, the root DSE of MS-AD doesn't include a "vendorName" to
> indicate that this is indeed an Active Directory. So now I've got to
> think of some indirect way of MS-AD detection (e.g. by looking up other
> MS-only specific entries in the root DSE), or perhaps attempting a blind
> "unicodePwd" update.
In my web2ldap I'm looking whether attribute type 'unicodePwd' can be found in
subschema subentry.
Ciao, Michael.
