Thanks for your input David. I will read through the MSDN articles to
see if they provide me with any inside. I am not familiar with using
SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly provide
me with a few steps to accomplish this?
Thanks,
Mike
On Nov 8, 2007, at 7:48 AM, David Leonard wrote:
Hi, Mike
I think AD uses an extension to the Kerberos protocol to change the
password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx
As far as I understand it, the unicodePwd attribute is the NT hash
of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx)
.
Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to
AD's LDAP. It should be a lot easier to manage than SSL certs.
David
Mike Matz wrote:
Thanks for the help guys. It got me off to a great start. I have
successfully created a user in my AD. As you already eluded to, I
am struggling with the password attribute. Can the password
attribute be set when creating a user. From what I gathered, the
password attribute is 'unicodePwd'. This attribute cannot be
created, it can only be modified. Is this attribute created by
default when a user is created? Would I be able to do an add and
then a modify to set the password? I am aware of the fact that
there are certain restrictions in place in order to modify the
password. I have setup my AD to include SSL and I am able to bind
as Administrator over port 636. With that said one of the examples
I ran across for adding a user refers to another attribute
'userPassword'. I am unable to tell what this attribute is. In
the link below, it appears that the password is being set when the
entry is added. I have tried this unsuccessfully. I appreicate
all the help thus far.
Regards,
Mike
Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html
-----Original Message-----
From: Geert Jansen [mailto:[EMAIL PROTECTED]
Sent: Wed 11/7/2007 1:50 PM
To: Michael Ströder
Cc: Mike Matz; [email protected]
Subject: Re: Creating Active Directory Objects
Michael Ströder wrote:
> I vaguely remember that there are some issues with really
activating a
> user entry as a Windows user. But this is not a problem of
accessing AD
> via python-ldap.
>
This indeed rings a bell. You need to create the user as disabled
(look
for userAccountControl on MSDN), set a compliant password, and then
enable him.
Regards,
Geert
--
David Leonard [EMAIL PROTECTED]
Ph:+61 404 844 850
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
