Samuel Parsons wrote on 05/27/2011 09:07 AM: > I'm attempting to reset AD passwords without SSL as our AD server > admin doesn't know how to enable SSL on the AD server. > > The link between the machine and the AD server is secure for other > reasons and so SSL is not necessary (at least from our > server-manager's perspective). > > The MS documentation does not indicate that this is possible, but > essentially in order to update passwords you need to either have SSL, > TLS, or (undocumented) set the LDAP_OPT_ENCRYPTION = 1 on the LDAP > connection. (Incidentally, LDAP_OPT_ENCRYPTION is defined as 0x96) [1] > > I have one report of the undocumented option being possible in VB.NET > which seems to indicate to me that AD itself supports changing > passwords *without* SSL or TLS. It's just a matter of figuring out > exactly how VB.NET (or other .NET languages, I presume) does it. For, > I hope, obvious reasons, I'm not planning on using VB unless it's > absolutely necessary. In fact, I think it shouldn't be necessary. > > However, as far as my research shows, setting the option is > unsupported in PHP [2] (language I have most experience with), Python, > and now I've come to Perl. My thinking was that if it's possible > anywhere, the Perl folks would have figured it out. > > I've searched Perl documentation on setting this option and doing > non-SSL password changes and I can't seem to find any hint that this > is possible. If you know how to set this option or how to achieve it > please let me know! > > [1] http://msdn.microsoft.com/en-us/library/aa367019(v=vs.85).aspx > [2] http://bugs.php.net/bug.php?id=50924 > > Sam >
This is how I set the password in AD: http://search.cpan.org/~karman/Net-LDAP-Class-0.26/lib/Net/LDAP/Class/User/AD.pm#password([plain_password]) read the source for the password() method. IIRC, SSL or TLS was not required, but binding in the initial LDAP connection with a user with privileges to set the password via LDAP was. I could be wrong about the SSL/TLS (it's been a few years...). -- Peter Karman . http://peknet.com/ . pe...@peknet.com
