Push user password to Active Directory

This topic has 5 replies, 4 voices, and was last updated 5 years, 11 months ago by migault1990.

  • Author
  • #6840


    We have configured LDAP connector for connecting to AD.
    We are able to sync users from OpenIDM to AD without passwords.
    However, we wish to create/update users in AD with their OpenIDM passwords.

    Any pointers to achieve this would be very helpful.

    We have written a script that converts user’s password in openidm to unicode format
    and then map it to AD unicodePwd attribute.

    But we are getting error as LDAP operation not supported.

    Kindly help.


    You should use standard password attribute. Do not set up unicodePwd manually. Connector is able to do that for you.

    In provisioner config you should have something similar to this:

        "passwordAttribute" : "unicodePwd",
        "passwordHashAlgorithm" : "WIN-AD",
                    "password" : {
                        "type" : "string",
                        "nativeName" : "__PASSWORD__",
                        "nativeType" : "JAVA_TYPE_GUARDEDSTRING",
                        "flags" : [

    Thanks Pavel. It works now!


    Hi –

    What’s your script to convert the OpenIDM password in unicode format?

    Additionally, you’re probably decrypting the password in OpenIDM as well. Am I correct?

    We’re trying to achieve the same thing here and any help would be usefull :)



    In AD LDAP connector provisioner file under account properties attributes, we added an attribute “adPassword” to push password into AD.

    “adPassword” : {
    “type” : “string”,
    “nativeName” : “__PASSWORD__”,
    “nativeType” : “JAVA_TYPE_GUARDEDSTRING”,
    “flags” : [

    Also, in our sync mapping from IDM to AD, we have the below mapping:

    “target” : “adPassword”,
    “source” : “password”

    The “password” attribute is an encrypted attribute in our IDM set-up & we didn’t need to decrypt it in our code to push it to AD.
    Also please ensure that you are connecting to AD over LDAPS connection for pushing passwords.



    Hey –

    We actually fixed it yesterday after sending that Message.

    Lessons Learned :

    – LDAPS is required
    – unicodePWd is the Password Attribute in AD
    – You don’t need to decrypt or encode the password value.



Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?