Prentice, Try using LDAPS. The setup for this isn't terribly easy but once you've got the keys in place, AD seems more friendly.
>From my understanding AD will only let you make "security related" changes >over secured (encrypted) connections (-Z) switch below... ie: ldapmodify -c -x -D "CN=ldap Admin,OU=ServiceAccounts,DC=mycompany,DC=com" -w 'supersecretpw' -f new_users_pw.ldif -H ldaps://dc01.mycompany.com -Z I typically write perl code to create LDIF files, then use "ldappmodify" with wire encryption. If I don't use encryption, AD rejects all security related changes. Hope that helps. --Dan -----Original Message----- From: Prentice Bisbal [mailto:prent...@ias.edu] Sent: Thursday, April 28, 2011 3:07 PM To: perl-ldap@perl.org Subject: Can't change passwd in AD 2008 R2 We recently updated our Active Directory servers to 2008 R2. I had a perl script that would change a users password in OpenLDAP and Active Directory at the same time. This was working fine until the update. I can still change a user's password when I bind as an AD administrator, but not as a normal user. Has anyone else here gone through this? I know the that behavior or replacing a password is different whether you are an administrator or regular user changing your own password, as documented here: http://support.microsoft.com/?kbid=269190 I wrote this code based on the above link: # AD doesn't allow non-admin users to replace their password. # Instead, it must be deleted and re-added. Administrators can only # replace a password. if ($username ne getlogin()) { $mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd => $newUnicodePwd} ); } else { $mesg = $ad->modify($ad_user_dn, delete=>{unicodePwd => $newUnicodePwd}); $code = $mesg->code; if ($code != 0) { $mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd => $newUnicodePwd} ); } } This worked for just fine until the upgrade to 2008 R2. Any ideas? -- Prentice
