?

Log in

No account? Create an account

Previous Entry | Next Entry

How to set AD password from command line

Pre-requisites

  • ldapsearch, ldapmodify - openldap-clients package
  • iconv - glibc-common package
  • base64 - coreutils package

Instructions


Let's say you want to use ldapmodify to modify the password of a user in AD. You'll first need the full DN of the user:
# ldapsearch -xLLL -H ldap://ad.example.test \
 -D "cn=administrator,cn=users,dc=example,dc=test" -W \
 -b "cn=users,dc=example,dc=test" "samaccountname=username" dn

Next, encode the password. Note that the literal double quotes are required. Also, don't forget to use echo -n or your password will end with a newline:
# b64pwd=`echo -n \""thepassword"\"|iconv --to utf-16le|base64`

Next, set the password. You will have to use either real TLS with a real CA cert from AD:
# LDAPTLS_CACERT=/path/to/ad-ca.pem ldapmodify -xLLL -ZZ -H ldap://ad.example.test \
 -D "cn=administrator,cn=users,dc=example,dc=test" -W <<EOF
dn: full dn of user from above
changetype: modify
replace: unicodePwd
unicodePwd::$b64pwd
EOF

OR - for quick&dirty testing:
# LDAPTLS_REQCERT=never ldapmodify -xLLL -ZZ -H ldap://ad.example.test \
 -D "cn=administrator,cn=users,dc=example,dc=test" -W <<EOF
dn: full dn of user from above
changetype: modify
replace: unicodePwd
unicodePwd::$b64pwd
EOF

Note that you use unicodePwd:: with two colons because the value is base-64 encoded