computer account change password with Windows 2008 domain
Russ Allbery
rra at stanford.edu
Wed Jan 7 15:03:32 EST 2009
"Michael B Allen" <ioplex at gmail.com> writes:
> Do you know if works when SASL confidentiality is used instead of TLS?
It does not. Microsoft's LDAP implementation requires TLS in order to
view or change the password attribute. I don't know of any technical
reason why SASL confidentiality wouldn't be sufficient (provided the
negotiated strength were high enough), but their implementation doesn't
appear to support this.
> Is there any method that works at all?
> I'm sure a lot of people would like know exactly what privacy
> establishment methods allow you to set unicodePwd over LDAP.
Under Windows 2008, so far as I can determine, the only supported way to
set unicodePwd over LDAP is to use password binds with TLS. I don't
believe this is intentional -- Microsoft acknowledges that it's a bug
rather than a design intention -- but as long as the bug is present, it
amounts to the same thing.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list