David Leonard wrote:
> 
> As far as I understand it, the unicodePwd attribute is the NT hash of
> the user's password.

I don't think so when setting it. Maybe it contains the NT hash
afterwards, but conversion is probably done internally.

http://support.microsoft.com/kb/269190

It seems you need to combine ldap.MOD_DELETE with old password and
ldap.MOD_ADD with new password when setting unicodePwd yourself and
ldap.MOD_REPLACE when setting it for another account. Additionally you
have to use quotes around it. And furthermore it has to be
UTF-16-encoded (low endian). MS docs are usually poorly written.

> Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's
> LDAP. It should be a lot easier to manage than SSL certs.

The SSL certs are not used to bind to AD in this case. Rather they are
just used to connect over SSL (ldaps://).

Ciao, Michael.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Python-LDAP-dev mailing list
Python-LDAP-dev@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev

Reply via email to