Change Active Directory Password via CFLDAP - HELP!!

[dmichailov]

Hello all!

Has anyone successfully made CFLDAP change an Active Directory user password?
I've been hitting the wall for the past week, searched the archive, with no
luck.

I have set-up SSL between CF and AD, and I am binding to the directory with an
Account Operator account. AD password requirements have been turned off,
except password length which is 5 and the password that we try to change is
clearly more than 5 characters. Once I run the code below, I get the following
error message:

An error has occured while trying to execute modify :[LDAP: error code 53 -
0000001F: SvcErr: DSID-031A0FBC, problem 5003 (WILL_NOT_PERFORM), data 0
One or more of the required attributes may be missing/incorrect or you do not
have permissions to execute this operation on the server

Can anyone help? What we are doing wrong?



<cfset unicodePass = '"tester123"'> <!--- Set the pass, include the quotes
--->

<cfset unPwd = ToBase64(unicodePass)> <!--- Convert to Base64 --->

<CFLDAP action="MODIFY"
server="#this.ldapServer#"
DN="#getUserDNRet#"
attributes="unicodePwd=#unpwd#"
modifyType="replace"
username="domainName\AccountOperatorUserName"
password="AccountOperatorPasswordr"
secure="CFSSL_BASIC"
port="636"

>

[dmichailov]

Bump. Anyone?

[amac0001]

Check the security permissions of users in the active directory console. I believe there is an option to allow or disallow users from changing their own passwords.

[dmichailov]

Still no luck.

The users have permission to change their passwords. Also note that I am using
Account Operator account to reset the password, also tried to use domain
administrator's account, but still getting the same WILL_NOT_PERFORM error.

Could it be because of the UNICODE/base64 encoding of the password?

Can anyone help? Has anyone done this successfully?

[Unregistered]

VICTORY!

Like many, I had been searching for a way to reset the active directory password via CFLDAP. From what I understood, it should be possible if you set up an SSL connection. After much difficulty, I was able to set up the certs on both servers. I verified that they were working by performing a CFLDAP query using secure="CFSSL_BASIC" over port 636. But I still could not set unicodePwd. I figured it has something to do with the particular encoding of the password but couldn't find a way to make it work.

I found some embedded Java code which claimed to work for the reset, but it did not work for me. However, with a little tweaking, I was able to get it to work. Here is the code that worked for me:

<cfset new_pwd = "NewPassword123!">
<cfset new_pwd_quotes = """"#new_pwd#""">
<cfset unicode_pwd = new_pwd_quotes.getBytes("UTF-16LE") >

<cfset adminName = "CN=Administrator, CN=Users, dc=ad2003-dev, dc=com">
<cfset adminPwd = "adminPassword">
<cfset userToReset = "CN=Ed Test, OU=Users, OU=Development, OU=IB,
dc=ad2003-dev, dc=com"> <!--- Retrieve this info via an earlier CFLDAP --->

<cfset ldapsURL = "ldaps://someLDAPServer.somedomain.com:636">

<cfset javaEnv = CreateObject("java", "java.util.Hashtable").Init()>
<cfset javaEnv.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory")>
<cfset javaEnv.put("java.naming.provider.url", ldapsURL)>
<cfset javaEnv.put("java.naming.security.principal", adminName)>
<cfset javaEnv.put("java.naming.security.credentials", adminPwd)>
<cfset javaEnv.put("java.naming.security.authentication", "simple")>
<cfset javaEnv.put("java.naming.security.protocol", "ssl")>

<cfset javaCtx = CreateObject("java", "javax.naming.directory.InitialDirContext").Init(j avaEnv)>
<cfset javaAttr = CreateObject("java", "javax.naming.directory.BasicAttributes").Init("un icodePwd", unicode_pwd)>

<cfset javaCtx.modifyAttributes(userToReset, javaCtx.REPLACE_ATTRIBUTE, javaAttr)>
<cfset javaCtx.close()>


See this post for the original embedded Java code:
http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:335974


I hope this helps someone!