Re: ActiveDirectory LDAP Change password

Mon, 26 Jun 2006 11:40:48 -0700 

Eric Anderson wrote:

Eric Nichols wrote:

unicodepwd is a pretty unique attribute.
3. An Add does work (just an add, no delete)


So are you saying I need to remove the delete? Something like:

$mesg = $ldap->modify($dn, changes => [
    add    => [ unicodePwd => $newUniPW ],
]);


If this is the case why does the LDAP FAQ indicate I need the add and 
delete?



Also the LDAP connection MUST be SSL.  Active Directory will not accept
password changes over insecure connections.


Would not my connection string:

my $ldap = Net::LDAP->new("ldaps://$host") or die("$@");


make a SSL connection. Note the ldaps:// in the host parameter. It seems 
to connect fine if I use the userPrincipalName. I would assume if the 
SSL was a problem I would not be able to connect with either DN or UPN.


I appreciate your input.

Eric





The documentation I found said that a user could do a delete and add, 
and the administrator could do a replace.



Unfortunately, our AD will not allow an active user to not have a 
password.  So the delete and add fails.  Therefore, I had to use the 
administrator account to update the password.  Very ugly.



Here's the code I'm using until I figure out a way to solve this 
problem:  ($adhost specifies ldaps://)


my $charmap = Unicode::Map8->new('latin1')  or  die;

# surround the PW with double quotes and convert it to UTF-16
# byteswap() was necessary in experiments on i386 Linux, YMMV
my $oldUniPW = $charmap->tou('"'.$oldpw.'"')->byteswap()->utf16();
my $newUniPW = $charmap->tou('"'.$pw1.'"')->byteswap()->utf16();

my $ldap = Net::LDAP->new($adhost,verify=>'none')  or  die "$@";

my $mesg = $ldap->bind($dn,
                           password => $oldpw);
if ($mesg->code) {


    print $q->header({-location => 
$ldapmsglink.$mesg->code."&message=Cannot Authenticate to AD: 
".$mesg->error_name});

    exit 1;
}
# attempt the self-modify.  Unfortunately, it will always fail for now
$mesg = $ldap->modify($dn,
                changes => [
                        delete => [ unicodePwd => $oldUniPW ],
                        add    => [ unicodePwd => $newUniPW ] ]);
if ($mesg->code) {
    $ldap->unbind();
#
#  Yes, I know, this is REALLY bad practice.  Get MS to fix it!!!!
#
    my $rootmsg = $ldap->bind($adminname, password => $adminpw);
    if ($rootmsg->code) {

        print $q->header({-location => 
$ldapmsglink.$mesg->code."&message=(R) Cannot Change Password: 
".$mesg->error_name});

        exit 1;
    }
    $rootmsg = $ldap->modify($dn,replace => {unicodePwd => $newUniPW});
    if ($rootmsg->code) {

        print $q->header({-location => 
$ldapmsglink.$mesg->code."&message=(R) Cannot Change Password: 
".$mesg->error_name});

        exit 1;
    }
}
$ldap->unbind();























					Reply via email to