Printout Header
LEX RSS Feed

LEX Online Manual Content

Set Password

Menu options: Reset Password

This option is only available if you selected one single account object in the object list in the LEX main window. Objects with the following structural object classes are regarded as account objects:

  • inetorgPerson
  • user
  • computer
  • posixAccount

The option is disabled for eDirectory environments, LEX cannot reset eDirectory user passwords (yet). If you see the Edit - Set Password option only disabled and grey, then this could be also because your focus lays on the attribute list panel or you didn't selected a single object in the object list.

If you use this option, the Reset Password dialog is shown so that you can set the account password for the regarding Directory objects. Naturally, though, you cannot change any passwords if you do not have the appropriate permission to do that.


Resetting Passwords for Active Directory Objects


This is the Reset Password dialog if you are connected to an Active Directory server (AD Domain Controller, ADAM server or AD LDS server):

Reset Password dialog for AD servers

The password set by writing the unicodePwd attribute. In this operation the password is converted to a Base64 encoded unicode string internally befor LEX writes the value to the directory. Please note that you need the AD Control Access permission 'Reset Password' for this.

The unicodePwd attribute can be written only if you are connected through a SSL encrypted LDAP connection. This restriction can be abolished only in ADAM / AD LDS environments if you are changing the dsHeuristics value in the configuration partition. You can also use the dsHeuristics to enable password changing by accessing the userPassword attribute, in this case you don't have to Base64 encode the pasword value first.


Resetting Passwords in other environments


This is the Reset Password dialog if you are connected to any other LDAP server than an Active Directory server (for example, if you are connected to an OpenLDAP server):

Reset Password dialog for LDAP servers

Passwords should never be stored in an attribute in clear text - in fact, most generic LDAP directories store an hash value of the password - in other words, a kind of encryption. Normally it should prevent any user who can read this value to re-calculate the original password, but it allows to check a password entered by the user in an authentication process.

Depending on the directory server, several different hash algorithms could be used. According to RFC 2307, the syntax of the hash value has to be '{HashAlgorithm}Hashvalue'. Only a few hash algorithms are used without indicating the algorithm name in curly brackets.

The LEX Reset Password dialog can calculate hash values for you, if you want to set a new password for an object. you just have to enter the password in the New password text box. When you re-enter the same password in the Confirm password text box, the regarding hash value is calculated and shown in the Password value box.


Please note that not all of these algorithms are supported by all LDAP servers. If you use an algorithm which indicated in the hash value, you can use the In Uppercase option to choose how the algorithm label should be inserted. Oddly enough, some LDAP server enforces the label to be upper case, although the RFC document specify this to be in lower case.

  • Plain Text: Obviously, this is not an hash algorithms. In fact, the password value will be shown and written in clear text. Many modern LDAP servers will convert a written clear text password automatically in a hash value when the store the attribute in the directory database.

  • CRYPT: This is the Unix Crypt hash algorithm, based on DES (Data Encryption Standard) with a 2 byte salt. Because DES was defined already in 1973, this algorithm is considered not to be the strongest.

  • MD5: The MD5 algorithm is a hash function with a 128 bit hash value. It was defined 1992 in the RFC 1321. MD5 is widely considered cryptographically broken and unsuitable for further use. There are many web sites where you can perform a rainbow table attack against an MD5 value in seconds - so you should not use this algorithm any more.

  • SMD5: This is the salted version of the MD5 hash algorithm, so this is more secure than a pure MD5.

  • SHA: This is the SHA-1 algorithm. SHA stands for Secure Hash Algorithm. It generates hash values 160 bit hash values. The modern SHA-2 algorithms (see below) are stronger, but the SHA-1 is more widely supported by LDAP servers.

  • SSHA: This is the salted version of the SHA hash algorithm, so this is more secure than a pure SHA.

  • SHA-256: This is the SHA-2 algorithm with a hash value length of 256 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....

  • SSHA-256: This is the salted version of the SHA-256 hash algorithm, so this is more secure than a pure SHA-256.

  • SHA-384: This is the SHA-2 algorithm with a hash value length of 384 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....

  • SSHA-384: This is the salted version of the SHA-384 hash algorithm, so this is more secure than a pure SHA-384.

  • SHA-512: This is the SHA-2 algorithm with a hash value length of 512 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....

  • SSHA-512: This is the salted version of the SHA-512 hash algorithm, so this is more secure than a pure SHA-512.

  • Samba LM: This is the Microsoft Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is an DES (Data Encryption Standard) based algorithm, the hash value is a string which represents the hexadecimal hash value. Be aware that this algorithm can be easily cracked with different methods, so it's recommended to use the more modern Samba NTLM instead (if the regarding server supports it).

  • Samba NTLM: This is the Microsoft Windows NT Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is based on an MD4, the hash value is a string which represents the hexadecimal hash value.

You can read more about salted password hash algorithms in the manual topic Editor for Password Attributes.

Tweet