Hello there,
I hope that I am posting in the right section here, please advise if I posted wrong.
I currently try to change passwords in our Active Directory Envoirenment via LDAP on Linux since the users in question do not have access to a windows-machine and we want to keep it that way.
In order to change the password I am currently stuck figuring out how to use ldapmodify to do so. After a lot of reading on different sites/forums/newsgroups I am much more confused than before 
However:
I try the following command to do so:
ldapmodify -f ldif.example -H ldaps://lab01-dc01.example.com -D 'CN=test,CN=users,DC=lab01,DC=example,DC=com' -x -W
The contents of the ldif.example:
dn: CN=test,CN=Users,DC=lab01,DC=example,DC=com
changetype: modify
delete: unicodePwd
unicodePwd:: V3VQdXV1STEyLg==
-
add: unicodePwd
unicodePwd:: QmxhVVVraTEyLg==
-
(Don't worry - those passwords are not used anywhere and it is not a production envoirenment)
Now - every time I execute the command I get the following error:
modifying entry CN=test,CN=Users,DC=lab01,DC=example,DC=com"
ldapmodify: Constraint violation (19)
additional info: 0000216C: AtrErr: DSID-03190EB0, #1:
0: 0000216C: DSID-03190EB0, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
Now, after what I read the reason for this error is either that the password is badly formatted or that the password policy doesn't allow the password I used. I checked the policy - multiple times now - and the new password definetly complies to the policy by all the criteria. If I set the password using a Windows-machine it also works well (of course I changed the "oldpassword" and "newpassword" afterwards since I am not allowed by the policy to change to an earlier password). The password I enter after passing the "-W" option to ldapmodify is also definetly right, otherwise the error spit out by ldapmodify is that I used invalid credentials instead of a constraint violation.
So - the sole reason I can think of is indeed a bad formatted password - but I can't figure out where the bad formatting should come from since I use the normal base64 algorythm to encode the password.
Has anyone an idea what is going on?
Can anyone push me in the right direction?
Help is very appreciated and I thank you in advance.
---------- Post updated 03-04-12 at 04:40 PM ---------- Previous update was 02-04-12 at 06:33 PM ----------
For future reference, if anyone should encounter similiar problems:
The simple solution? Just use smbpasswd instead of ldap to change the password - that works flawless! I am really grumped that I didn't think of it before 
However - the way to change your password in the active directory using samba (using CentOS):
~#yum install samba
~#smbpasswd -r domaincontroller.example.com -U testuser1
Old SMB password:
New SMB password:
Retype new SMB password:
Password changed for user testuser1 on domaincontroller.example.com
And then you can login using the new password. Easy as that, really. This is considered as solved for me.