Valve for modifying a users password in Microsoft Active Directory.

This valve extends LDAPPasswordChangeValve and overrides the following behaviour(s): 

(1) Password reset (i.e. NOT change with random password) is default when current password is not known (reset: "true"). 

(2) AD specific attributes are reset before bind/change (pwdLastSet, lockoutTime) to enable user bind/modify operations. 

(3) Account is unlocked after reset if configured (unlock: "true"). 

(4) Attribute unicodePwd is default password attribute name.

The new password will be formatted as an AD password - a binary UTF-16 LE string (little-endian byte order) enclosed in double quotes (“).

Valve operates on all items in current item set.

When doing a password change, the property pwdLastSet have to exist on the item if the old password is expired.


Name Description Default value Mandatory Supports property expansion
connection_ref Id of user store connection.   Yes No
value The new password.   Yes Yes
password_attr_name Name of password attribute. unicodePwd   No
current_password_param_name Name of parameter containing the current password. If this is configured the valve will bind with the current password instead of a random password before setting the new password. No Yes
unlock Flag controlling if locked account should be unlocked during password change process. false   No

Example Configuration

  "name": "ADPasswordChangeValve",
  "config": { 
    "connection_ref": "d5c9fd4f-0e51-43d4-b1c5-b3e34b6edd4b",
    "value": "{{item.new_password}}",
    "unlock": "true"