For some time I have been trying to change a password via cfldap. The connection is made over SSL and port 636 (cfssl_basic), tested within logins. I tried the following version of code:
<cfset password_new_retyp=charsetEncode(charsetDecode('"'&password_new_retyp&'"','UTF-16LE'),'UTF-8'))> <!---encoded, decoded password --->
dn="#session.dn_addres#" --- i query this on login
server="xxxx.xxxx.xxx.xx" --- name of server thet i use on login
secure = "cfssl_basic"
username="#session.username#" ---username thet is used on login
password="#password_old#"> ---- pass before changing
and error is somthing like this :
An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ].
I also tried this method without encoding password:
secure = "cfssl_basic"
and eror is the same:
An error has occured while trying to execute query :[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903C5, comment: AcceptSecurityContext error, data 52e, v23f0 ]. One or more of the required attributes may be missing or incorrect or you do not have permissions to execute this operation on the server.
Both of those errors are actually for "invalid credentials". IBM Data codes related to 'LDAP: error code 49' with Microsoft Active Directory - United States
My guess is that the account you are trying to change the password for is flagged as "password expired" or "must change password". In that case, you won't be able to use the same login to change the password. The work around would be to use an administrative login that has rights to change user passwords. You'll also want to make sure the users "current" password is valid by trying a <cfldap> prior to changing the password, looking for a successful connection or the "change password" error codes, "data 532" or "data 773".
Another issue I think you'll have with your first example is the encoding of the new password. From what I have read, it needs to be UTF-16LE (which you are doing) but then Base64 encoded.
<cfset password_new_retyp = BinaryEncode(CharsetDecode('"#password_new_retyp#"','UTF-16LE'),'Base64') />
To be honest, I haven't gotten this to work myself, getting a WILL_NOT_PERFORM error. I think I need to use ColdFusion 11's new `useTLS` option for <cfldap>, but I don't have it installed anywhere just yet. I currently use .NET to change a users password. It works but I feel the <cfldap> approach would be better. I've also seen other suggestions to use command line tools using <cfexecute>