Is it possible to change the password via cfldap?

Report · Apr 25, 2014

For some time I have been trying to change a password via cfldap. The connection is made over SSL and port 636 (cfssl_basic), tested within logins. I tried the following version of code:

<cfset password_new_retyp=charsetEncode(charsetDecode('"'&password_new_retyp&'"','UTF-16LE'),'UTF-8'))> <!---encoded, decoded password ---><cfldap action="modify" 
dn="#session.dn_addres#" --- i query this on login 
modifyType="replace" 
attributes="unicodePwd=#password_new_retyp#" 
server="xxxx.xxxx.xxx.xx" --- name of server thet i use on login 
secure = "cfssl_basic" 
port=636 
username="#session.username#" ---username thet is used on login 
password="#password_old#">  ---- pass before changing

and error is somthing like this :

An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ].

I also tried this method without encoding password:

<cfldap action="modify" 
dn="#session.dn_addres#"
modifyType="replace" 
attributes="password=#password_new_retyp#" 
server="xxxx.xxxx.xxx.xx" 
secure = "cfssl_basic" 
port=636 
username="#session.username#" 
password="#password_old#" >

and eror is the same:

An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ]. One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.

Any idea?

Report · May 09, 2014

Both of those errors are actually for "invalid credentials". IBM Data codes related to 'LDAP: error code 49' with Microsoft Active Directory - United States

My guess is that the account you are trying to change the password for is flagged as "password expired" or "must change password". In that case, you won't be able to use the same login to change the password. The work around would be to use an administrative login that has rights to change user passwords. You'll also want to make sure the users "current" password is valid by trying a <cfldap> prior to changing the password, looking for a successful connection or the "change password" error codes, "data 532" or "data 773".

Another issue I think you'll have with your first example is the encoding of the new password. From what I have read, it needs to be UTF-16LE (which you are doing) but then Base64 encoded.

<cfset password_new_retyp = BinaryEncode(CharsetDecode('"#password_new_retyp#"','UTF-16LE'),'Base64') />

To be honest, I haven't gotten this to work myself, getting a WILL_NOT_PERFORM error. I think I need to use ColdFusion 11's new `useTLS` option for <cfldap>, but I don't have it installed anywhere just yet. I currently use .NET to change a users password. It works but I feel the <cfldap> approach would be better. I've also seen other suggestions to use command line tools using <cfexecute>

Adobe Community

Is it possible to change the password via cfldap?