Re: Creating Active Directory Objects

Thu, 08 Nov 2007 04:49:14 -0800 

Hi, Mike
I think AD uses an extension to the Kerberos protocol to change the password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx As far as I understand it, the unicodePwd attribute is the NT hash of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx). Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's LDAP. It should be a lot easier to manage than SSL certs. 

David

Mike Matz wrote:



Thanks for the help guys.  It got me off to a great start.  I have 
successfully created a user in my AD.  As you already eluded to, I am 
struggling with the password attribute.  Can the password attribute be 
set when creating a user.  From what I gathered, the password 
attribute is 'unicodePwd'.  This attribute cannot be created, it can 
only be modified.  Is this attribute created by default when a user is 
created?  Would I be able to do an add and then a modify to set the 
password?  I am aware of the fact that there are certain restrictions 
in place in order to modify the password.  I have setup my AD to 
include SSL and I am able to bind as Administrator over port 636.  
With that said one of the examples I ran across for adding a user 
refers to another attribute 'userPassword'.  I am unable to tell what 
this attribute is.  In the link below, it appears that the password is 
being set when the entry is added.  I have tried this unsuccessfully.  
I appreicate all the help thus far.

Regards,
Mike

Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html


-----Original Message-----
From: Geert Jansen [mailto:[EMAIL PROTECTED]
Sent: Wed 11/7/2007 1:50 PM
To: Michael Ströder
Cc: Mike Matz; [email protected]
Subject: Re: Creating Active Directory Objects

Michael Ströder wrote:

> I vaguely remember that there are some issues with really activating a
> user entry as a Windows user. But this is not a problem of accessing AD
> via python-ldap.

>  


This indeed rings a bell. You need to create the user as disabled (look
for userAccountControl on MSDN), set a compliant password, and then
enable him.

Regards,
Geert



--
David Leonard                           [EMAIL PROTECTED]
                                       Ph:+61 404 844 850


-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev






















					Reply via email to