It's well documented. AD won't allow you to change a password over LDAP 389.
Enabling SSL LDAP is quite easy. Simply make one of the domain controllers a Certificate Authority. That automatically turns on LDAPS on all DCs. -- Justin B. Alcorn The views expressed here are not necessarily my own, much less anyone else's. PGP Fingerprint A36D D691 C5B0 BE15 5A2A AF49 AA1C 372C On Fri, May 27, 2011 at 10:07 AM, Samuel Parsons <spars...@bemidjistate.edu>wrote: > I'm attempting to reset AD passwords without SSL as our AD server > admin doesn't know how to enable SSL on the AD server. > > The link between the machine and the AD server is secure for other > reasons and so SSL is not necessary (at least from our > server-manager's perspective). > > The MS documentation does not indicate that this is possible, but > essentially in order to update passwords you need to either have SSL, > TLS, or (undocumented) set the LDAP_OPT_ENCRYPTION = 1 on the LDAP > connection. (Incidentally, LDAP_OPT_ENCRYPTION is defined as 0x96) [1] > > I have one report of the undocumented option being possible in VB.NET > which seems to indicate to me that AD itself supports changing > passwords *without* SSL or TLS. It's just a matter of figuring out > exactly how VB.NET (or other .NET languages, I presume) does it. For, > I hope, obvious reasons, I'm not planning on using VB unless it's > absolutely necessary. In fact, I think it shouldn't be necessary. > > However, as far as my research shows, setting the option is > unsupported in PHP [2] (language I have most experience with), Python, > and now I've come to Perl. My thinking was that if it's possible > anywhere, the Perl folks would have figured it out. > > I've searched Perl documentation on setting this option and doing > non-SSL password changes and I can't seem to find any hint that this > is possible. If you know how to set this option or how to achieve it > please let me know! > > [1] http://msdn.microsoft.com/en-us/library/aa367019(v=vs.85).aspx > [2] http://bugs.php.net/bug.php?id=50924 > > Sam >
