Re: Force the new AD user to change password - pwdLastSet

Fri, 11 Jul 2008 16:59:10 -0700 

Hi Don,

On Fri, Jul 11, 2008 at 5:33 PM, Miller, Don C. <[EMAIL PROTECTED]> wrote:
> Alex, does setting 'pwdLastSet' => 0 not work for you?  You can't set
> the value to anything else but you should be able to set it to zero
> which will force the expiration.
>
> $ldap->modify($dn, replace => { 'pwdLastSet' => 0 });
>

thank you, it works. Below is my complete code for the archive.

I haven't found, how to mimic VBScript's AccountDisabled=FALSE
in Perl, but the user creation seems to work ok without it too.

Greetings from Germany
Alex

#!/usr/bin/perl -w

use strict;
use Net::LDAPS;
use Net::LDAP qw(LDAP_SUCCESS LDAP_ALREADY_EXISTS);
use Unicode::Map8;
use Unicode::String qw(utf16);

use constant ROOTDN => 'OU=ImportedExt,OU=User
Accounts,DC=internal,DC=XXX,DC=com';
use constant DOMAIN => 'internal.XXX.com';
use constant SERVER => ['ablwdc01.' . DOMAIN, 'ablwdc02.' . DOMAIN];
use constant ADMIN  => 'XXXXXXX';
use constant ADMPW  => 'XXXXXX';
use constant NORMAL_ACCOUNT => 0x200;

my ($ldap, $result, $charmap, $unipwd);
my ($uid, $first, $last, $mail, $city, $company, $password, $fullname, $dn)
   = qw(perl_test perl test [EMAIL PROTECTED] Bochum XXX xxxxxxx123);

$ldap = Net::LDAPS->new(SERVER) or
   die('Could not connect to LDAP server ' . SERVER);
$ldap->bind(ADMIN . '@' . DOMAIN, password => ADMPW) or
   die('Could not bind to LDAP server ' . SERVER . ' as ' . ADMIN);

$fullname = "$first $last";
$dn = "cn=$uid," . ROOTDN;
$charmap = Unicode::Map8->new('latin1') or die $!;
$unipwd = $charmap->tou(qq{"$password"})->byteswap()->utf16();

$result = $ldap->add($dn,
   attr => [
       objectClass    => 'user',
       sAMAccountName    => $uid,
       userPrincipalName => $uid . '@' . DOMAIN,
       givenName    => $first,
       sn        => $last,
       displayName    => $fullname,
       description    => $fullname,
       mail        => $mail,
       l        => $city,
       physicalDeliveryOfficeName => $city,
       company        => $company,
       unicodePwd    => $unipwd,
   ]
);
if (LDAP_SUCCESS != $result->code) {
   warn "User $uid already exists!\n"
       if (LDAP_ALREADY_EXISTS == $result->code);
   die 'Failed to add user: ', $result->error;
}

$result = $ldap->modify($dn, replace => { pwdLastSet => 0 } );
$result->code && die 'Failed to modify user: ', $result->error;

$result = $ldap->modify($dn,
   replace => { userAccountControl => NORMAL_ACCOUNT } );
$result->code && die 'Failed to enable user: ', $result->error;

$ldap->unbind;

Reply via email to