ActiveDirectory LDAP Change password

Wed, 21 Jun 2006 08:50:32 -0700

I have been scratching my head on trying to change an ActiveDirectory password via Net::LDAP for a couple of hours so I figured I would see if someone on this list can help me.
My knowledge of LDAP and ActiveDirectory is virtually zero. I am just hoping to take the example from the FAQ and fit it to my environment but I must be missing something. 


One issue I am confused with is the distinguished name. I know it has to 
uniquely identify a record in the database but not knowing much about 
ActiveDirectory or LDAP I am not sure what to use. From the examples I 
have seen my best guess is:


$dn = 'CN=SWestbrook,DN=mycompany,DN=com';


I.E. the common name would be the Active Directory username and the DN 
would be the domain with each part of the domain being split. But when I 
try to connect with some code like this:


my $ldap = Net::LDAP->new("ldaps://$host") or die("$@");
my $mesg = $ldap->bind($dn, password => $oldPW);
die("Bind Error: ".$mesg->error_text) if $mesg->is_error;

I get the following:


Bind Error: The wrong password was supplied or the SASL credentials 
could not be processed



After some tweaking I found out that I can pass the userPrincipalName 
(email address) instead. I gave that a try and I am able to successfully 
login. Now my task is the change the password. So I do the Unicode 
conversion on the passwords as the FAQ states:


my $charmap = Unicode::Map8->new('latin1') or die("$@");
my $oldUniPW = $charmap->tou('"'.$oldPW.'"')->byteswap()->utf16();
my $newUniPW = $charmap->tou('"'.$newPW.'"')->byteswap()->utf16();

Finally I attempt to actually change the password with the following code:

$mesg = $ldap->modify($dn, changes => [
        delete  => [ unicodePwd => $oldUniPW ],
        add     => [ unicodePwd => $newUniPW ],
]);
die("Modify Error: ".$mesg->error_text) if $mesg->is_error;

When this statement executes I get the following:

Modify Error: The server cannot find an object specified in the request


So I am guessing the reason I cannot login with the DN or change the 
record is that I have the wrong DN. But I am not sure what I am supposed 
to use.


Any help would be greatly appreciated,

Eric























					Reply via email to