I'll jump in again and state that Windows 2000 did not support setting unicodePwd using anything other than LDAPS, but Windows 2003 and 2008 do support using SASL with "auth-conf" (SASL confidentiality is now the default mechanism in the ADSI libraries) The MS documents are fairly confusing, but I have code that sets password using ADSI on port 389 after setting Kerberos encryption.
password and unicodePwd cannot be viewed and I think that after Windows 2000, password cannot be set (only unicodePwd) Again, there are bugs in auth-conf and service principal binds (UPN with a "/") in Windows 2008 that require hotfixes and only the latter hotfix is public. (My plane is boarding now, gotta run) -Ross -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Russ Allbery Sent: Wednesday, January 07, 2009 12:04 PM To: Michael B Allen Cc: [email protected] Subject: Re: computer account change password with Windows 2008 domain "Michael B Allen" <[email protected]> writes: > Do you know if works when SASL confidentiality is used instead of TLS? It does not. Microsoft's LDAP implementation requires TLS in order to view or change the password attribute. I don't know of any technical reason why SASL confidentiality wouldn't be sufficient (provided the negotiated strength were high enough), but their implementation doesn't appear to support this. > Is there any method that works at all? > I'm sure a lot of people would like know exactly what privacy > establishment methods allow you to set unicodePwd over LDAP. Under Windows 2008, so far as I can determine, the only supported way to set unicodePwd over LDAP is to use password binds with TLS. I don't believe this is intentional -- Microsoft acknowledges that it's a bug rather than a design intention -- but as long as the bug is present, it amounts to the same thing. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
