On 21 Feb 2011, at 03:52, Threet, Robert A wrote:
>
> Yeah - adds work great! I didn't get how to modify the password. It looks
> like you have to read in the entire entry - modify - then re-add it. Noticed
> that thinking in the LDAP Admin Guide Friday night.
No, that absolutely shouldn't be necessary. LDAP's modify operation primitives
let you change attributes without needing to read them first.
But there's maybe some confusion here. You say you're trying to modify a
password, but your "resetMacAcct" subroutine is adding an entry, *not*
modifying it. You're not supplying enough attributes to add a valid entry, so
the server rejects it with a reasonable-looking error.
If you want to modify a password, replace (sic) this code:
---old-code
$macEntry->replace(userPassword => $newMacpw);
my $add = $macBind->add($macEntry);
---old-code
with this:
---new-code
my $add = $macBind->modify($newdn,
replace => { 'userPassword' => $newMacpw });
---new-code
Note you don't need to create a $macEntry object, so you can delete those lines
of code.
This code could still fail if the server is configured to check the "quality"
of new passwords. It can't check a hashed password, so might reject the modify.
It might also be configured to force the old password to be provided together
with the new, and your script running as manager doesn't seem to have the old
password.
The last way this could fail is if the server stores passwords in a different
attribute, or encoded in some way. ActiveDirectory does both of those things,
so you need to watch if you're using ActiveDirectory vs an LDAP server.
Chris
