LDAP Password Changing

As of version 7.8, Secret Server can perform the following operations against a LDAP server:
  • Change a user's password using the user's credentials
  • Change a user's password using a different set of credentials
  • Validate a user's password
Validating a user's password
Secret Server connects to the LDAP domain with the user's credentials; a successful bind indicates that the credentials are correct.

Changing a user's password with the user's credentials
  1. Secret Server connects to the LDAP domain with the user's credentials.
  2. Secret Server modifies the "userpassword" attribute of the user object to contain the new value.
Changing a user's password using a different set of credentials (privileged credentials)
  1. Secret Server connects to the LDAP domain using the privileged credentials.
  2. Secret Server modifies the "userpassword" attribute of the user object to contain the new value.
Each LDAP operation has the following steps:
  1. Connect to the domain with credentials that have sufficient permissions to change the password.
  2. Determine the distinguished name of the user whose password needs to be changed
    1. Use a specified format (for cases where all users are in the same location)
    2. Lookup the distinguished name via anonymous search.
  3. Change the appropriate attribute ("userpassword" for Open LDAP, "unicodePwd" for AD)
Since the full Distinguished Name of a user is required in order to change the user's password, a number of configuration options exist below to help avoid specifying the full Distinguished Name in every Secret.  These are used in the following order:

The Password Change Process - In Detail:
Secret Server will connect using the credentials of the Secret that will be changing the password. If the Secret is configured to use a privileged account when changing passwords, this will be the privileged account. If not, this will be the Secret itself.
  1. If the "User Name Authentication Format" is specified, this is used to format the UserName pulled for the Secret that will be used to change the password.
  2. If the "Convert User To Distinguished Name" box is checked, the "User Distinguished Name Format" is used to format the UserName.
  3. If the "Lookup Distinguished Name For Connection" box is checked, Secret Server will attempt an anonymous connection to the LDAP server and will then search for the user's DN using the "User Search Format" field to format the query. ex: (uid=$USERNAME) or (cn=$USERNAME)
  4. If none of the above cases are true, Secret Server will connect using the username on the Secret.
Once successfully connected, Secret Server needs to determine the Distinguished Name of the user whose password will be changed. This follows the priority below:
  1. If the "Convert User To Distinguished Name" box is checked, the "User Distinguished Name Format" is used to format the UserName.
  2. If the "Lookup Distinguished Name For Reset" box is checked, Secret Server will search for the user's DN using the "User Search Format" field to format the query. ex: (uid=$USERNAME) or (cn=$USERNAME)
  3. If these boxes are not checked, Secret Server will treat the username on the Secret as the Distinguished Name.
Now that it has the Distinguished Name, Secret Server executes the password change operation on the LDAP entry that matches the DN.

The full list of settings are detailed below.
Secure Socket Layer:
 - Controls whether Secret Server connects to the LDAP server using SSL or not.

Lookup Distinguished Name For Connection:
 - Uses an anonymous connection to lookup the distinguished name to use when connecting to the LDAP server.

Lookup Distinguished Name For Reset:
 - Searches the LDAP server for the distinguished name of the user whose password will be changed.

Password Encoding Type:
- Determines whether passwords are encoded for Open LDAP or AD.

Password Attribute:
 - By default this is "userpassword" for Open LDAP or "unicodePwd" for AD, but any attribute can be entered here.

Protocol Version:
 - The version of the LDAP protocol to use, 3 by default.

User Name Authentication Format:
 - Specifies the user name format to use when connecting to the LDAP server. For example, AD may use $USERNAME@$DOMAIN.

Auth Type:
 - The authentication mechanism to use when connecting to the LDAP server. Basic by default.

User Search Format:
 - Defines the search request executed against the LDAP server to find the user's distinguished name.  For example, Open LDAP may use (uid=$USERNAME).

Convert User To Distinguished Name:
- Indicates whether or not the system will use the "User Distinguished Name Format" setting to generate the user's distinguished name.

User Distinguished Name Format:
 - Holds the format used to generate a user's distinguished name. For example: UID=$USERNAME,OU=Users,DC=MyDomain,DC=com

Note: If the "User cannot change password" in the Account options is enabled, a message "There was a problem with the LDAP request. The password may not meet the policy requirements. The requested attribute does not exist." will appear when performing a test for the password changer. 

Article ID: 183, Created On: 10/11/2011, Modified: 5/5/2014

Feedback (0)