Quick and cheerful reminder –if you want to perform a password set operation in LDP there’s two main ways of doing it:
- You can supply a string value to userPassword (providing the domain functional level is Windows Server 2003 or later); or
- You can supply a UTF-16 encoded Unicode string containing the password surrounded by quotation marks, which has been BER-encoded as an octet string (per the Object(Replica-Link) syntax).
The latter is obviously not exactly straightforward, but LDP provides a nice syntax to make this easy: prefix the password with backslash UNI colon, then enter the password in double quotes, like so:
Where P@$$w0rd! is obviously the password. Let me show you how that looks. Here’s the Modify dialog:
Here’s the LDP window after clicking Run:
Note that in both instances you need to be using either an SASL (LDAP_OPT_ENCRYPT = 1) or SSL/TLS protected connection.
In the case of the above I just open LDP, press Ctrl + B and <Enter> –which performs a SASL bind (those of you with good eyes will note that in the screenshot I’ve actually connected then cleared the screen before binding as bind calls ldap_connect if there isn’t a connection –I did this to make the output neat). Then I click Browse, Modify and enter the details. A password Set is a replace operation.
The purpose of this post is to remind myself and others of the \UNI:”Password” syntax for writing to unicodePwd. For more information on userPassword see this article. For more information on unicodePwd see this article.