Ozzy
Случайный прохожий
-
#1
Всем привет! Подскажите как пофиксить проблему. Пользователи подключаются к чекпойнту через endpoint security vpn по логину и паролю. Если у пользователя просрочен пароль то клиент предлагает его сменить или обновить, но это сделать не удается. Появляется ошибка: Failed to modify password, LDAP Error
Где искать правду ?
Последнее редактирование: 07.03.2022
-
#5
Такое ощущение что как будто нет разрешений на смену пароля в AD
А если к примеру домен админ будет так пытаться пароль поменять через gaia или через endpoint security VPN?
-
#10
По моему опыту оно вообще через раз работает. И работоспособность сильно зависит от версии клиента.
I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way.
In order to change the password I am currently stuck figuring out how to use ldapmodify to do so. After a lot of reading on different sites/forums/newsgroups I am much more confused than before
However:
I try the following command to do so:
ldapmodify -f ldif.example -H ldaps://lab01-dc01.example.com -D 'CN=test,CN=users,DC=lab01,DC=example,DC=com' -x -W
The contents of the ldif.example:
dn: CN=test,CN=Users,DC=lab01,DC=example,DC=com
changetype: modify
delete: unicodePwd
unicodePwd:: V3VQdXV1STEyLg==
-
add: unicodePwd
unicodePwd:: QmxhVVVraTEyLg==
-
(Don’t worry — those passwords are not used anywhere and it is not a production envoirenment)
Now — every time I execute the command I get the following error:
modifying entry CN=test,CN=Users,DC=lab01,DC=example,DC=com"
ldapmodify: Constraint violation (19)
additional info: 0000216C: AtrErr: DSID-03190EB0, #1:
0: 0000216C: DSID-03190EB0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
Now, after what I read the reason for this error is either that the password is badly formatted or that the password policy doesn’t allow the password I used. I checked the policy — multiple times now — and the new password definetly complies to the policy by all the criteria. If I set the password using a Windows-machine it also works well (of course I changed the «oldpassword» and «newpassword» afterwards since I am not allowed by the policy to change to an earlier password). The password I enter after passing the «-W» option to ldapmodify is also definetly right, otherwise the error spit out by ldapmodify is that I used invalid credentials instead of a constraint violation.
So — the sole reason I can think of is indeed a bad formatted password — but I can’t figure out where the bad formatting should come from since I use the normal base64 algorythm to encode the password.
Has anyone an idea what is going on?
Can anyone push me in the right direction?
Help is very appreciated and I thank you in advance.
Edit:
Something which bugs me:
When I run the base encoded strings through base64 it keeps telling me «Invalid Input». Now — I went ahead and just re-coded the passwords with the use of base64 on the linux machine — but when I run the generated string through the decode function again, base64 keeps telling me «Invalid Input»… The strings however slightly changed between the windows-base64 encoded string and the linux encoded string. But base64 just says «Invalid input» no matter what I put in there.
Edit2:
Nevermind — reading the purpose of the function I gather that it throws this error because of the dots and the exclamation mark in the password.
Hello there,
i tried sk89841 but it failed.
It is not possible to change the password when the VPN user password expires or at the first login.
why what ?
-SSL active 636 ports
-I’m running the test with the admin user
Unable to change password in checkpoint vpn.
I’m waiting for your help
I am doing the c# code to change a ldap user’s password by either user himself, or the admin.
I can successfully authenticate the users. However, I get the following error message when I try to invoke a ChangePassword or SetPassword behavior:
InnerException: The directory property cannot be found in the cache.
My code is as follows:
LDAPPath = "LDAP://10.29.0.1:50405/DC=DCServerName,DC=local"
LDAPAdminDN = "CN=useradmin,OU=SystemAccounts,DC=DCServerName,DC=local"
LDAPAdminPwd = "S8kf5t3!"
username = "user1"
password = "oldPassword1"
npassword = "newPassword1"
DirectoryEntry root = new DirectoryEntry(
LDAPPath,
LDAPAdminDN,
LDAPAdminPwd,
AuthenticationTypes.None
);
using (root)
{
DirectorySearcher searcher = new DirectorySearcher(root,
string.Format("(CN={0})", username)
);
var result = searcher.FindOne();
if (result != null)
{
var user = result.GetDirectoryEntry();
try
{
user.Invoke("ChangePassword", new object[] { password, npassword });
user.Properties["LockOutTime"].Value = 0;
//user.Invoke("SetPassword", new object[] { npassword });
user.CommitChanges();
}
catch (Exception e)
{
string innerMsg = e.InnerException.Message;
return false;
}
}
I am wondering how to resolve this problem to change the password successfully. Thank you guys
Update:
I tried several options as below but all of them don’t work:
One:
int intPort = 50405;
user.Invoke("SetOption", new object[] { ADS_OPTION_PASSWORD_PORTNUMBER, intPort });
user.Invoke("SetOption", new object[] { ADS_OPTION_PASSWORD_METHOD, ADS_PASSWORD_ENCODE_CLEAR });
Two:
user.UsePropertyCache = true;
They all get error of 0x80072020
My IT guy enabled «change password on nonSSL», I am not sure any settings matter in AD LDS part.
Question:
Am I right to use an admin account to change a user’s password in this way instead of using any impersonate code?
Problem Description:
I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way.
In order to change the password I am currently stuck figuring out how to use ldapmodify to do so. After a lot of reading on different sites/forums/newsgroups I am much more confused than before
However:
I try the following command to do so:
ldapmodify -f ldif.example -H ldaps://lab01-dc01.example.com -D 'CN=test,CN=users,DC=lab01,DC=example,DC=com' -x -W
The contents of the ldif.example:
dn: CN=test,CN=Users,DC=lab01,DC=example,DC=com
changetype: modify
delete: unicodePwd
unicodePwd:: V3VQdXV1STEyLg==
-
add: unicodePwd
unicodePwd:: QmxhVVVraTEyLg==
-
(Don’t worry – those passwords are not used anywhere and it is not a production envoirenment)
Now – every time I execute the command I get the following error:
modifying entry CN=test,CN=Users,DC=lab01,DC=example,DC=com"
ldapmodify: Constraint violation (19)
additional info: 0000216C: AtrErr: DSID-03190EB0, #1:
0: 0000216C: DSID-03190EB0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
Now, after what I read the reason for this error is either that the password is badly formatted or that the password policy doesn’t allow the password I used. I checked the policy – multiple times now – and the new password definetly complies to the policy by all the criteria. If I set the password using a Windows-machine it also works well (of course I changed the “oldpassword” and “newpassword” afterwards since I am not allowed by the policy to change to an earlier password). The password I enter after passing the “-W” option to ldapmodify is also definetly right, otherwise the error spit out by ldapmodify is that I used invalid credentials instead of a constraint violation.
So – the sole reason I can think of is indeed a bad formatted password – but I can’t figure out where the bad formatting should come from since I use the normal base64 algorythm to encode the password.
Has anyone an idea what is going on?
Can anyone push me in the right direction?
Help is very appreciated and I thank you in advance.
Edit:
Something which bugs me:
When I run the base encoded strings through base64 it keeps telling me “Invalid Input”. Now – I went ahead and just re-coded the passwords with the use of base64 on the linux machine – but when I run the generated string through the decode function again, base64 keeps telling me “Invalid Input”… The strings however slightly changed between the windows-base64 encoded string and the linux encoded string. But base64 just says “Invalid input” no matter what I put in there.
Edit2:
Nevermind – reading the purpose of the function I gather that it throws this error because of the dots and the exclamation mark in the password.
Solution – 1
What about fetching an existsing, working password from a different user and try to include that in your ldif?
This way you will be sure that your password is working.
Second, do not use delete/add use replace instead in the ldif. Maybe the delete will cause an objectclass violation errror.
Third, you only need to base64 encode an attribute if it is contain non-printable or special characters. There is an empty row in the end of the ldif file.
dn: CN=test,CN=Users,DC=lab01,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd: BlaUUki12.
Regards,
Solution – 2
For future reference, if anyone should encounter similiar problems:
The simple solution? Just use smbpasswd instead of ldap to change the password – that works flawless! I am really grumped that I didn’t think of it before 😀
However – the way to change your password in the active directory using samba (using CentOS):
~#yum install samba
~#smbpasswd -r domaincontroller.example.com -U testuser1
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user testuser1 on domaincontroller.example.com
And then you can login using the new password. Easy as that, really.
Solution – 3
yum install samba didn’t work for me as it installed smbpasswd program from samba version 3.6.9.
What worked was yum install samba4-client. This installs smbpasswd program for Samba 4 and this version of smbpasswd actualy can change password on Windows Server 2008 R2 Domain Controller. I used samba4-client as I don’t need the Samba server only it’s client utilities.
The syntax for the smbpasswd command is the same:
smbpasswd -r domaincontroller.example.com -U testuser1
Hope this helps.
Solution – 4
Constraint error could mean you use an old password that does not conform to the policy of, say, cannot use the last 24 passwords.
For future reference:
Connect to AD server (bind):
-
as Admin: you can change and reset passwords for everyone. There is a difference between change and reset. Change = AD will enforce the password policy. Reset = does not.
-
as a User: you may change your password but are not allowed to reset it. Change = AD will enforce the password policy.
Hope it helps though it’s a little late!
Solution – 5
When setting the password, it needs to be UTF-16LE and Base64 encoded. In Java, it could be done with:
String source = ""car"";
String utf16base64 = new String(Base64.getEncoder().encode(source.getBytes("UTF-16LE")));
UTF-16LE has to be used, UTF-16 is not enough.
Changing ‘unicodePwd’ over LDAP requires that the new password is a Unicode string with double quotes. It means when you want to set a new password(Password01!) convert the password with double quotes("Password01!") into Base64.
An online tool can be used – http://www5.rptea.com/base64/ (select UTF-16).
Details about unicodePwd are there – https://technet.microsoft.com/en-us/magazine/ff848710.aspx .