I am using LDAPS:
$ad = Net::LDAP->new(\@ad_servers,
onerror=> 'warn',
scheme => 'ldaps',
verify => 'require',
cafile => $tls_cacertfile,
) || die 'Couldn\'t connect to Active Directory server';
I should have specified that earlier. As far as I know, that's the same
as using
$ad = Net::LDAPS->new(...)
As you mentioned, LDAP/TLS or LDAP/SSL is a requirement for password
changes on AD, even with our previous AD servers. So, if I didn't use
it, my program wouldn't have worked with the earlier AD servers, either.
Prentice
On 04/28/2011 04:00 PM, Dan Cutler wrote:
> Prentice,
>
> Try using LDAPS. The setup for this isn't terribly easy but once you've got
> the keys in place, AD seems more friendly.
>
> From my understanding AD will only let you make "security related" changes
> over secured (encrypted) connections (-Z) switch below...
>
> ie: ldapmodify -c -x -D "CN=ldap
> Admin,OU=ServiceAccounts,DC=mycompany,DC=com" -w 'supersecretpw' -f
> new_users_pw.ldif -H ldaps://dc01.mycompany.com -Z
>
> I typically write perl code to create LDIF files, then use "ldappmodify" with
> wire encryption.
>
> If I don't use encryption, AD rejects all security related changes.
>
> Hope that helps.
>
> --Dan
>
> -----Original Message-----
> From: Prentice Bisbal [mailto:[email protected]]
> Sent: Thursday, April 28, 2011 3:07 PM
> To: [email protected]
> Subject: Can't change passwd in AD 2008 R2
>
> We recently updated our Active Directory servers to 2008 R2. I had a
> perl script that would change a users password in OpenLDAP and Active
> Directory at the same time. This was working fine until the update. I
> can still change a user's password when I bind as an AD administrator,
> but not as a normal user. Has anyone else here gone through this?
>
> I know the that behavior or replacing a password is different whether
> you are an administrator or regular user changing your own password, as
> documented here:
>
> http://support.microsoft.com/?kbid=269190
>
> I wrote this code based on the above link:
>
> # AD doesn't allow non-admin users to replace their password.
> # Instead, it must be deleted and re-added. Administrators can only
> # replace a password.
> if ($username ne getlogin()) {
> $mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
> $newUnicodePwd} );
> } else {
> $mesg = $ad->modify($ad_user_dn, delete=>{unicodePwd =>
> $newUnicodePwd});
> $code = $mesg->code;
> if ($code != 0) {
> $mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
> $newUnicodePwd} );
> }
> }
>
> This worked for just fine until the upgrade to 2008 R2. Any ideas?
>
--
Prentice
