Skip to content

feat(ldap): add set-password-auth BOF — token-based password reset via LDAPS#148

Open
0xGunrunner wants to merge 1 commit into
Adaptix-Framework:mainfrom
0xGunrunner:feat/set-password-auth
Open

feat(ldap): add set-password-auth BOF — token-based password reset via LDAPS#148
0xGunrunner wants to merge 1 commit into
Adaptix-Framework:mainfrom
0xGunrunner:feat/set-password-auth

Conversation

@0xGunrunner

Copy link
Copy Markdown

The original add-computer BOF depends on ldap_common.c via #include "ldap_common.c" which pulls in the shared helper infrastructure. In practice this caused silent failures during connection setup due to how ldap_set_option was called for LDAP_OPT_SIGN and LDAP_OPT_ENCRYPT — the original passed a pointer-to-pointer instead of a pointer to a ULONG, meaning the channel was never actually sealed. This leads to LDAP_UNWILLING_TO_PERFORM or a failed unicodePwd write since AD requires a sealed channel for password operations.

This fix rewrites add-computer as a standalone BOF with inlined LDAP types and imports, matching the same pattern used in the fixed add-rbcd. The connection setup is corrected to pass &on_val (ULONG*) for sign/seal options. Password memory is also zeroed before free on the cleanup path (memset(pw_bv->bv_val, 0, pw_bv->bv_len)) which the original skipped. Error reporting is expanded to distinguish between LDAP_CONSTRAINT_VIOLATION (password policy rejection), LDAP_UNWILLING_TO_PERFORM (unsealed channel), and LDAP_INSUFFICIENT_RIGHTS (MAQ exhausted or no CreateChild on container).

The ldap_common.h header change adds the l_timeval / LDAP_TIMEVAL struct definition which was missing, causing implicit struct warnings for any BOF that calls ldap_connect with a timeout parameter. A trailing newline is also added to the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant