Softerra LDAP Administrator HelpShow AllHide All

Editing Attribute Values

An LDAP entry is composed of a variety of LDAP attributes defined by the Schema. LDAP Administrator provides tools required to perform all sorts of operations with attributes, including editing existing values as well as adding new ones.

An LDAP schema marks all LDAP attributes as either single-valued or multi-valued. Multi-valued attributes may contain more than one value.

To add a value to an existing attribute: 

  1. Select an attribute, to which you'd like to add a value.

  2. Click New on the Standard toolbar or select the same command from the context menu.

If an attribute is not marked by the Schema as a no-user-modification attribute, you can edit its values.

To edit an existing attribute value: 

  1. Select an attribute value you'd like to edit.

  2. Click Modify Value on the Standard toolbar.

    Note: For binary attributes, you can load data from file by clicking the button.

To add a new attribute: 

  1. Select entries you'd like to add a new attribute to.

  2. Click Add/Modify Attribute on the Entry toolbar or select the same command from the context menu to launch the Add/Modify Attribute Wizard.

Learn more about Add/Modify Attribute Wizard.

To edit, remove or add several attributes: 

  1. Select entries, the attributes of which you'd like to edit.

  2. Click Multiple Modifications on the Entry toolbar or select the same command from the context menu to launch the Multiple Modifications wizard.

Learn more about the Multiple Modifications wizard.

Besides, all LDAP attributes have their own type and syntax describing what kind of data an attribute value may contain. For the purposes of modifying well-known attributes, attribute types and syntaxes, LDAP Administrator provides a number of editors particularly associated with each of those types.

If a text attribute is displayed as binary or vice-versa, you can explicitly specify how to handle it: as binary or text. If you'd like LDAP Administrator to handle the attribute in specific way, check the Override the default attribute recognition box in the Advanced tab of attribute's properties.

Using Binary Editor

Using the Binary Editor, you can edit binary attribute values. The editor also allows you to view, copy and load data in the base64 format. To switch between the Hex and Base64 modes, use the HEX Mode and Base 64 Mode buttons.

To load value data from file, click the Load Data button to display the Load Binary Data dialog. Use it to load data in both binary and base64 formats. Choose the format of your data storage from the Load Data Format section.

Using Password Editors

With Password Editor, you can edit those LDAP attribute values, which are used to store passwords. To date, there exist several commonly used, yet different password schemas, some of them supported by LDAP Administrator. These are:

userPassword Attribute

The definition, syntax and semantics of the userPassword attribute, which is provided for both open (plain) and encrypted passwords, are all set forth in RFC2307*.

For encrypted userPassword values, the application supports the following algorithms:

  • SHA SHA-1 based hash;

  • SSHA Salted SHA-1 based hash;

  • MD5 MD5 based hash;

  • SMD5 Salted MD5 based hash;

  • MD4 MD4 based hash;

  • SMD4 Salted MD4 based hash;

  • Crypt (DES) Unix hash based on DES.

Despite the fact that some LDAP servers encrypt passwords automatically when updating an entry with an open password, it is recommended that you encrypt those before sending them to a server. In order to encrypt a password being edited via the Password Editor, check the Use an encrypted password box.

In case your server supports other hash functions not included in the above list, or if you wish to set a password having just its hash, check the Edit hash manually box to be able to input hash into the Hash box.

While RFC2307 defines hash prefixes in lower case, there are some buggy LDAP servers that only work properly with uppercased prefixes. In case you have problems authenticating to your server after you changed the password, try the Uppercase the hash scheme checkbox.

Finally, the Password Editor also allows you to verify whether an open password corresponds to its encrypted version. To do it, just press the Verify button to launch the Password Verifier.

lmPassword, ntPassword, sambaLMPassword and sambaNTPassword Attributes

The following password attributes are defined and used by the Samba* project: lmPassword, ntPassword, sambaLMPassword and sambaNTPassword. Values of the above attributes are used to hold passwords encrypted with either the LANMAN or WinNT hash algorithms. LANMAN is a DES based hash originally developed for the LanManager server product. The WinNT hash is an RC4 based hash used by the Windows NT operating system.

The way Password Editor is used for these attributes is similar to how the userPassword attribute is edited, the only difference being that the password here is always hashed, the hash algorithm - pre-defined and can't be changed.

unicodePwd Attribute

unicodePwd is an attribute used by the Microsoft Active Directory server. The distinction of this attribute lies in an impossibility to read its values - the server only allows inserting or replacing those.

Due to this unicodePwd’s distinction, LDAP Administrator offers a special editor to reset passwords on Active Directory servers.

The unicodePwd password editor works in two modes:

  • Set password. This mode is used to set a password for an entry that does not contain one yet. To set a password, specify it in the New Password box, then re-enter it in the Confirm Password box and press OK.

  • Reset password. This mode is used to reset an existing password, that is if you don’t have enough permissions to set it directly as a new one. In other words, there should already be a password to reset. If that's the case, check the Change Password option and enter the current password in the Old Password box.

Active Directory requires that you must be connected via a strong, 128-bit SSL authentication to be able to set or reset passwords. In case of a weaker authentication, the server will reject your password modification request. For more details, please consult the Q269190* knowledge base article.

Using Flag Set Editor

The Flag Set editor provides for managing attributes used to store combinations of flags or to keep values from an enumeration of those. This kind of attributes are widely used by the Active Directory server.

When it comes to editing sets of flags, each of them is displayed separately next to a check-box indicating whether or not the flag is present. Enumerated and mutually exclusive values are displayed as a set radio-buttons each corresponding to a specific value from a range of available values. You can edit an attribute value either using radio-buttons and comboboxes provided or, alternatively, by simply entering the required value directly into the Value edit box.

Currently LDAP Administrator Flag Set editor can handle the following Active Directory attributes:

  • groupType

  • systemFlags

  • searchFlags

  • instanceType

  • userAccountControl

  • sAMAccountType

  • objectClassCategory

See Also