Reputation: 51
Correct encoding for unicodePwd in Active Directory
Putting it shortly, what is the right character encoding for the unicodePwd attribute in Active Directory? UCS-2? UTF-16? Is there any reason to choose UTF-16 over UCS-2?
Now, explaining a bit:
I was having trouble setting the unicodePwd attribute in Active Directory using PHP's ldap_mod_replace(), until I (sort of) found out the right format for it, which is enclosed in double quotes and encoded in UCS-2/UTF-16 Little Endian (and also base64 encoded, in the case of putting it in a LDIF file).
While the underlying problem was solved, I could not get my head around the fact I kept seeing both encodings being mentioned as correct around the internet.
I am being very pedantic here, but is anyone able to point the right character encoding?
Upvotes: 2
Views: 3063
Answers (2)
Reputation: 12129
The correct character encoding is UTF-16LE. Additionally, the password must be enclosed in double quotation marks. I am not sure where the UCS-2 encoding was mentioned, never seen it personally.
Example
User's password: test
Quoted password: "test"
UTF-16LE representation:
0x22 "
0x00
0x74 t
0x00
0x65 e
0x00
0x73 s
0x00
0x74 t
0x00
0x22 "
0x00
Further details may be found on MSDN.
Upvotes: 1
Reputation: 51
tl;dr Use UTF-16LE instead of UCS-2LE
Answering my own question: All I had to do was try to set a password in UTF-16 containing a 4 bytes character, intended to see whether such character would be correctly recognized and accepted in a password when trying to logon.
In order to do so, I put in the middle of an ordinary password a rather strange (to me) japanese character, tried to set the password and looked at the reaction.
Turns out, it did accept the ldap_mod_replace() call with the awkward password. Not only that, it accepted when I tried to logon using the password I had just set with the japanese character in the middle.
In conclusion, (if I am not mistaken) this goes to show that Active Directory's unicodePwd attribute not only accepts UTF-16 characters otherwise not present in UCS-2, it also behaves as it should when a password contains a 4 bytes in length character.
Upvotes: 1
Related Questions
- python-ldap change unicodePwd issue
- unicodePwd Attribute in AD
- how to retrieve the attribute "unicodePwd" in Active Directory through java programming
- AD property is System.Byte[] - which Encoding to convert to string?
- C#: How to write special characters to ADLDS?
- Foreign characters and LDAP. What encoding/charset does LDAP expect?
- Working with unicode encoded Strings from Active Directory via python-ldap
- python-ldap: what encoding should I use to check password against Microsoft AD?
- AD authentication using Unicode
- Unicode with active_directory