LEX Online Manual Content

• Introduction to LEX
  • First steps
    • License Splashscreen
    • ReadOnly PopUp
    • First LDAP Connection
  • LEX GUI Elements
    • The Treeview Panel
      • Reloading the Tree Structure
      • Hiding the Tree Structure
      • The currently selected Container
    • The Object List Panel
      • Reloading the Object List
      • Object List Scope
      • Object List Filter
      • Object Names Display
      • Object Attribute Columns
      • Sorting the Object List
      • Object Icons
    • The Attribute List Panel
      • Showing and Hiding the Attribute List
      • Attribute List Position
      • Refreshing the Attribute List Contents
      • Attribute List Filter
    • The Address Bar
    • The Command Button Bar
    • The Status Bar
    • The Attribute Window
      • Attribute Window Hotkeys
      • Attribute Window Command Buttons
      • Refreshing the Attribute Window Contents
      • Attribute Window Filter
      • Text Output
  • Command Line Parameters
• Command Buttons
  • Treeview Buttons
    • Expand/Collapse Tree Panel
    • Reload Directory Info
    • Reload Entire Directory Tree
    • Search
  • Object List Buttons
    • Expand/Collapse Tree Panel
    • Expand/Collapse Attribute List
    • Reload Object List
    • Go Up one Level
    • Show Objects in all Subcontainers
    • Create New Object
    • Delete Object
    • Show Friendly Object Names
    • Show Distinguished Name in Novell Notation
    • Show Hex Output for Hex Values
    • Set Object Filter
  • Attribute List Buttons
    • Toggle Attribute List Position
    • Reload Attribute Info
    • Add New Attribute
    • Add Attribute Element to an Array
    • Remove Attribute
    • Show only Attributes that have Values
    • Show Multivalued Attributes
    • Set Attribute List Filter
  • Attribute Window Buttons
    • Reload Attribute Info
    • Compare this Object with another
    • Add New Attribute
    • Add Attribute Element to an Array
    • Remove Attribute
    • Show only Attributes that have Values
    • Show Friendly Object Names
    • Show Distinguished Name in Novell Notation
    • Show Hex Output for Hex Values
    • Show Multivalued Attributes
    • Set Attribute List Filter
    • Show Attribute Names and Values
• Menu Help
  • Connection Menu
    • Connect
    • Save
    • New LEX
    • Disconnect
    • Connection Info
    • Attributes
    • RootDSE
    • Exit
  • Edit Menu
    • Copy Attribute Name
    • Copy Attribute Value
    • Paste Attribute
    • Search
    • Undelete
    • Set Password
    • Permissions
    • New Object
    • Delete Object
    • Move Object
    • Rename Object
    • Add New Attribute
    • Add Array Member
    • Remoe Attribute
    • Set empty Value
    • Quick Edit Value
    • Edit Attribute Value
  • View Menu
    • Set Attribute as List Column
    • Column Field Chooser
      • Object type
      • Date modified
      • Modifiers name
      • Date created
      • Creators Name
      • More
      • Load Column Set
      • Save Column Set
    • Filter Display for this Attribute
    • Jump to Object
    • Toolbars
      • Address Bar
      • Button Bar
      • Status Bar
    • Directory Tree
    • Attribute List
    • List Output Settings
      • Show Objects in all Subcontainers
      • Show Friendly Object Names
      • Show DNs in Novell Notation
      • Show Hex Output for Attributes with Hex Values
    • Attribute Output Settings
      • Show Hex Output for Attributes with Hex Values
      • Show only Attribute that have Values
      • Show Multivalued Attributes
    • Refresh
    • Reload Entire Tree
  • Favorites Menu
    • Add to Favorites
    • Organize Favorites
    • Sort by Name
  • Tools Menu
    • Use in Filter Factory
    • Select for Compare
    • Compare with...
    • Directory Export - Object List
    • Directory Export - Attribute List
    • Directory Import - LDIF
    • Filter Factory
    • TreeMap Factory
    • Observation Factory
    • Pipe Factory
    • Additional Infos/Tools
      • Resolve SID Attributes to Objects
      • Converter for numeric values
      • Converter for hex values
      • Converter for GUID values
      • Converter for SID values
    • Options
  • Help Menu
    • Index
    • Search
    • Online Support
    • Check for Updates
    • Activate existing License
    • About
• Application Options
  • General Tab
  • LDAP Settings Tab
  • Object Filter Tab
  • Attribute Filter Tab
  • Container Classes Tab
  • Attribute Syntaxes Tab
  • Linked Attributes Tab
  • Dialog Settings Tab
  • Colors Tab
• Application Hotkeys
• Connecting to LDAP Servers
  • The LDAP Connections Dialog
    • Server Tab
    • Advanced Tab
    • Attribute Filter Tab
    • Column Tabs
  • Connection Profiles
  • LDAPS / LDAP over SSL
• Working with LDAP Objects
  • Creating Directory Objects
  • Renaming Directory Objects
  • Moving Directory Objects
  • Deleting Directory Objects
  • Editing Multiple Objects
  • LDAP Object Classes
  • LDAP Attributes
    • Attribute Syntaxes
    • Attribute Editors
      • String Editor
      • Integer Editor
      • Boolean Editor
      • DN Editor
      • Generalized Timestring Editor
      • Binary / Hex Editor
      • Password Editor
      • Bitmap Editor
      • GUID Editor
      • Microsoft Security Descriptor Editor
      • Microsoft Access Control Entry Editor
      • Microsoft SID Editor
      • Microsoft Large Integer Editor
      • Microsoft Interval Editor
      • Microsoft Timestamp Editor
      • Microsoft DN with Binary Editor
      • Microsoft DN with String Editor
      • Novell Object ACL Editor
      • Novell Path Editor
      • Novell EMail Address Editor
      • Novell Timestamp Editor
      • Novell Backlink Editor
      • Novell Typed Name Editor
      • Flag Attribute Editor
    • Operational Attributes
    • Binary Attributes
    • Displaying Multivalued Attributes
    • Displaying Hex/Octetstring Attributes
    • Displaying DN Attributes
    • Displaying Unused Attributes
  • Undeleting Active Directory Objects
    • AD Tombstone Reanimation
    • AD Recycle Bin
  • Copy and Paste of Attribute Values
• Working with LDAP Directories
  • ReadOnly Mode
  • Directory Tree Caching
  • Container Class Evaluation
• Building LDAP Filters
  • LDAP Filter Syntax
  • The Filter Factory
  • The Filter Constructor
  • The Single Filter Editor
  • Famous Filters
• Searching The Directory
  • Search Results
  • Searching the Global Catalog in AD Environments
• Comparing Objects
  • Compare Window Hotkeys
  • Compare Window Command Buttons
• Exporting Directory Data
  • Exporting Object List Data
  • Exporting Attribute List Data
• Importing Directory Data
• Licensing Contract for Users

Set Password

This option is only available if you selected one single account object in the object list in the LEX main window. Objects with the following structural object classes are regarded as account objects:

• inetorgPerson
• user
• computer
• posixAccount
  

The option is disabled for eDirectory environments, LEX cannot reset eDirectory user passwords (yet). If you see the Edit - Set Password option only disabled and grey, then this could be also because your focus lays on the attribute list panel or you didn't selected a single object in the object list.

If you use this option, the Reset Password dialog is shown so that you can set the account password for the regarding Directory objects. Naturally, though, you cannot change any passwords if you do not have the appropriate permission to do that.

---

Resetting Passwords for Active Directory Objects

This is the Reset Password dialog if you are connected to an Active Directory server (AD Domain Controller, ADAM server or AD LDS server):



The password set by writing the unicodePwd attribute. In this operation the password is converted to a Base64 encoded unicode string internally befor LEX writes the value to the directory. Please note that you need the AD Control Access permission 'Reset Password' for this.

The unicodePwd attribute can be written only if you are connected through a SSL encrypted LDAP connection. This restriction can be abolished only in ADAM / AD LDS environments if you are changing the dsHeuristics value in the configuration partition. You can also use the dsHeuristics to enable password changing by accessing the userPassword attribute, in this case you don't have to Base64 encode the pasword value first.

---

Resetting Passwords in other environments

This is the Reset Password dialog if you are connected to any other LDAP server than an Active Directory server (for example, if you are connected to an OpenLDAP server):



Passwords should never be stored in an attribute in clear text - in fact, most generic LDAP directories store an hash value of the password - in other words, a kind of encryption. Normally it should prevent any user who can read this value to re-calculate the original password, but it allows to check a password entered by the user in an authentication process.

Depending on the directory server, several different hash algorithms could be used. According to RFC 2307, the syntax of the hash value has to be '{HashAlgorithm}Hashvalue'. Only a few hash algorithms are used without indicating the algorithm name in curly brackets.

The LEX Reset Password dialog can calculate hash values for you, if you want to set a new password for an object. you just have to enter the password in the New password text box. When you re-enter the same password in the Confirm password text box, the regarding hash value is calculated and shown in the Password value box.


Please note that not all of these algorithms are supported by all LDAP servers. If you use an algorithm which indicated in the hash value, you can use the In Uppercase option to choose how the algorithm label should be inserted. Oddly enough, some LDAP server enforces the label to be upper case, although the RFC document specify this to be in lower case.

• Plain Text: Obviously, this is not an hash algorithms. In fact, the password value will be shown and written in clear text. Many modern LDAP servers will convert a written clear text password automatically in a hash value when the store the attribute in the directory database.
  
  
• CRYPT: This is the Unix Crypt hash algorithm, based on DES (Data Encryption Standard) with a 2 byte salt. Because DES was defined already in 1973, this algorithm is considered not to be the strongest.
  
  
• MD5: The MD5 algorithm is a hash function with a 128 bit hash value. It was defined 1992 in the RFC 1321. MD5 is widely considered cryptographically broken and unsuitable for further use. There are many web sites where you can perform a rainbow table attack against an MD5 value in seconds - so you should not use this algorithm any more.
  
  
• SMD5: This is the salted version of the MD5 hash algorithm, so this is more secure than a pure MD5.
  
  
• SHA: This is the SHA-1 algorithm. SHA stands for Secure Hash Algorithm. It generates hash values 160 bit hash values. The modern SHA-2 algorithms (see below) are stronger, but the SHA-1 is more widely supported by LDAP servers.
  
  
• SSHA: This is the salted version of the SHA hash algorithm, so this is more secure than a pure SHA.
  
  
• SHA-256: This is the SHA-2 algorithm with a hash value length of 256 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....
  
  
• SSHA-256: This is the salted version of the SHA-256 hash algorithm, so this is more secure than a pure SHA-256.
  
  
• SHA-384: This is the SHA-2 algorithm with a hash value length of 384 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....
  
  
• SSHA-384: This is the salted version of the SHA-384 hash algorithm, so this is more secure than a pure SHA-384.
  
  
• SHA-512: This is the SHA-2 algorithm with a hash value length of 512 bit. SHA stands for Secure Hash Algorithm. The longer the hash value, the saver the algorithm - but it has to be supported by the regarding LDAP server also....
  
  
• SSHA-512: This is the salted version of the SHA-512 hash algorithm, so this is more secure than a pure SHA-512.
  
  
• Samba LM: This is the Microsoft Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is an DES (Data Encryption Standard) based algorithm, the hash value is a string which represents the hexadecimal hash value. Be aware that this algorithm can be easily cracked with different methods, so it's recommended to use the more modern Samba NTLM instead (if the regarding server supports it).
  
  
• Samba NTLM: This is the Microsoft Windows NT Lan Manager hash algorithm which is used in the Samba specific attributes sambaLMPassword, lmPassword, sambaNTPassword and ntPassword. It is based on an MD4, the hash value is a string which represents the hexadecimal hash value.

You can read more about salted password hash algorithms in the manual topic Editor for Password Attributes.