Rich Megginson (richmegginson) wrote,
Rich Megginson
richmegginson

How to set AD password from command line

Pre-requisites

  • ldapsearch, ldapmodify - openldap-clients package
  • iconv - glibc-common package
  • base64 - coreutils package

Instructions


Let's say you want to use ldapmodify to modify the password of a user in AD. You'll first need the full DN of the user:
# ldapsearch -xLLL -H ldap://ad.example.test \
 -D "cn=administrator,cn=users,dc=example,dc=test" -W \
 -b "cn=users,dc=example,dc=test" "samaccountname=username" dn

Next, encode the password. Note that the literal double quotes are required. Also, don't forget to use echo -n or your password will end with a newline:
# b64pwd=`echo -n \""thepassword"\"|iconv --to utf-16le|base64`

Next, set the password. You will have to use either real TLS with a real CA cert from AD:
# LDAPTLS_CACERT=/path/to/ad-ca.pem ldapmodify -xLLL -ZZ -H ldap://ad.example.test \
 -D "cn=administrator,cn=users,dc=example,dc=test" -W <<EOF
dn: full dn of user from above
changetype: modify
replace: unicodePwd
unicodePwd::$b64pwd
EOF

OR - for quick&dirty testing:
# LDAPTLS_REQCERT=never ldapmodify -xLLL -ZZ -H ldap://ad.example.test \
 -D "cn=administrator,cn=users,dc=example,dc=test" -W <<EOF
dn: full dn of user from above
changetype: modify
replace: unicodePwd
unicodePwd::$b64pwd
EOF

Note that you use unicodePwd:: with two colons because the value is base-64 encoded
Tags: active directory, ldap
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 0 comments