I am doing things much the same way Dan is. Using the Net:LDAP:LDIF modules to create LDIF to update AD with via ldapadd/modify. I use Kerberos authentication so I don't have to worry about using SSL.
Microsoft has a simple guide for setting up SSL on a DC - http://support.microsoft.com/kb/321051. It's really easy. Did two DCs yesterday in an hour (including purchasing the certs). If you are doing multiple DCs and want to address the domain by the service name rather than a FQDN of a DC be sure to get the Subject Alternate Name set properly in the certificate. al -- Al Lilianstrom CD/LSC/SOS/ES lilst...@fnal.gov > -----Original Message----- > From: Dan Cutler [mailto:dcut...@intelimedix.com] > Sent: Friday, May 27, 2011 10:57 AM > To: perl-ldap@perl.org; sparsons.bemidjist...@gmail.com > Subject: RE: [Net::LDAP] Resetting AD passwords without SSL > > Sam, > > Having been in your shoes, I found that you absolutely have to have one of > the security configurations mentioned to update passwords in AD via Perl (or > ldapadd/ldamodify) as Peter mentioned. > > Luckily I've got a great windows sysadmin who could set up that cert for me > (I'm windows challenged). > Try this link http://www.linuxmail.info/enable-ldap-ssl-active-directory/ > It's > not the greatest article but lays out most of the initial steps towards > setting > up the cert. > > In my case, I use LDAPS and connect with an admin type user to AD. > > I typically don’t update AD directly, rather I use Net::LDAP::LDIF to generate > LDIF files that I "apply" using ldapadd/ldapmodify over LDAPS from Linux. > > It took me awhile to get the hang of many of the Net::LDAP libraries out > there, but it paid off (plus its quite fun/interesting). > > --Dan > > -----Original Message----- > From: Peter Karman [mailto:pe...@peknet.com] > Sent: Friday, May 27, 2011 10:12 AM > To: perl-ldap@perl.org > Subject: Re: [Net::LDAP] Resetting AD passwords without SSL > > Samuel Parsons wrote on 05/27/2011 09:07 AM: > > I'm attempting to reset AD passwords without SSL as our AD server > > admin doesn't know how to enable SSL on the AD server. > > > > The link between the machine and the AD server is secure for other > > reasons and so SSL is not necessary (at least from our > > server-manager's perspective). > > > > The MS documentation does not indicate that this is possible, but > > essentially in order to update passwords you need to either have SSL, > > TLS, or (undocumented) set the LDAP_OPT_ENCRYPTION = 1 on the LDAP > > connection. (Incidentally, LDAP_OPT_ENCRYPTION is defined as 0x96) [1] > > > > I have one report of the undocumented option being possible in VB.NET > > which seems to indicate to me that AD itself supports changing > > passwords *without* SSL or TLS. It's just a matter of figuring out > > exactly how VB.NET (or other .NET languages, I presume) does it. For, > > I hope, obvious reasons, I'm not planning on using VB unless it's > > absolutely necessary. In fact, I think it shouldn't be necessary. > > > > However, as far as my research shows, setting the option is > > unsupported in PHP [2] (language I have most experience with), Python, > > and now I've come to Perl. My thinking was that if it's possible > > anywhere, the Perl folks would have figured it out. > > > > I've searched Perl documentation on setting this option and doing > > non-SSL password changes and I can't seem to find any hint that this > > is possible. If you know how to set this option or how to achieve it > > please let me know! > > > > [1] http://msdn.microsoft.com/en-us/library/aa367019(v=vs.85).aspx > > [2] http://bugs.php.net/bug.php?id=50924 > > > > Sam > > > > This is how I set the password in AD: > > http://search.cpan.org/~karman/Net-LDAP-Class- > 0.26/lib/Net/LDAP/Class/User/AD.pm#password([plain_password]) > > read the source for the password() method. > > IIRC, SSL or TLS was not required, but binding in the initial LDAP > connection with a user with privileges to set the password via LDAP was. > I could be wrong about the SSL/TLS (it's been a few years...). > > > -- > Peter Karman . http://peknet.com/ . pe...@peknet.com
