Sam, Having been in your shoes, I found that you absolutely have to have one of the security configurations mentioned to update passwords in AD via Perl (or ldapadd/ldamodify) as Peter mentioned.
Luckily I've got a great windows sysadmin who could set up that cert for me (I'm windows challenged). Try this link http://www.linuxmail.info/enable-ldap-ssl-active-directory/ It's not the greatest article but lays out most of the initial steps towards setting up the cert. In my case, I use LDAPS and connect with an admin type user to AD. I typically don’t update AD directly, rather I use Net::LDAP::LDIF to generate LDIF files that I "apply" using ldapadd/ldapmodify over LDAPS from Linux. It took me awhile to get the hang of many of the Net::LDAP libraries out there, but it paid off (plus its quite fun/interesting). --Dan -----Original Message----- From: Peter Karman [mailto:pe...@peknet.com] Sent: Friday, May 27, 2011 10:12 AM To: perl-ldap@perl.org Subject: Re: [Net::LDAP] Resetting AD passwords without SSL Samuel Parsons wrote on 05/27/2011 09:07 AM: > I'm attempting to reset AD passwords without SSL as our AD server > admin doesn't know how to enable SSL on the AD server. > > The link between the machine and the AD server is secure for other > reasons and so SSL is not necessary (at least from our > server-manager's perspective). > > The MS documentation does not indicate that this is possible, but > essentially in order to update passwords you need to either have SSL, > TLS, or (undocumented) set the LDAP_OPT_ENCRYPTION = 1 on the LDAP > connection. (Incidentally, LDAP_OPT_ENCRYPTION is defined as 0x96) [1] > > I have one report of the undocumented option being possible in VB.NET > which seems to indicate to me that AD itself supports changing > passwords *without* SSL or TLS. It's just a matter of figuring out > exactly how VB.NET (or other .NET languages, I presume) does it. For, > I hope, obvious reasons, I'm not planning on using VB unless it's > absolutely necessary. In fact, I think it shouldn't be necessary. > > However, as far as my research shows, setting the option is > unsupported in PHP [2] (language I have most experience with), Python, > and now I've come to Perl. My thinking was that if it's possible > anywhere, the Perl folks would have figured it out. > > I've searched Perl documentation on setting this option and doing > non-SSL password changes and I can't seem to find any hint that this > is possible. If you know how to set this option or how to achieve it > please let me know! > > [1] http://msdn.microsoft.com/en-us/library/aa367019(v=vs.85).aspx > [2] http://bugs.php.net/bug.php?id=50924 > > Sam > This is how I set the password in AD: http://search.cpan.org/~karman/Net-LDAP-Class-0.26/lib/Net/LDAP/Class/User/AD.pm#password([plain_password]) read the source for the password() method. IIRC, SSL or TLS was not required, but binding in the initial LDAP connection with a user with privileges to set the password via LDAP was. I could be wrong about the SSL/TLS (it's been a few years...). -- Peter Karman . http://peknet.com/ . pe...@peknet.com
