ldap.passwd_s with Active Direcory
Hi,
I'm not sure if this is the right place for this query, but I couldn't
find a python-LDAP-Users list.
I'm trying to modify a user's password on an Windows 2003 Active
directory using passwd_s, however the server is returning the following
error:
{'info': '203D: LdapErr: DSID-0C090C7D, comment: Unknown extended
request OID, data 0, vece', 'desc': 'Protocol error'}
I realise this is a server configuration thing as opposed to a
python-ldap issue, but google hasn't been any help so far. Does anyone
here know what it is I need to enable/change in order to get it to work?
The connection is using ldaps:// on port 636 and I can search the AD and
modify other values eg givenName etc, just not passwords, and I'm
binding as domain administrator.
Thanks
Mike Peters
"This message is intended for the named recipient only and may be
privileged and/or confidential. If you are not the intended or named
recipient or have received this email in error then you should not copy
forward or disclose it to any other persons. If you have received this
email in error you should destroy it and contact the sender so that we
may take appropriate action. The views and opinions expressed in this
email may not represent the views and opinions of Open International
Limited or any of its subsidiaries and are made without prejudice and
subject to contract. The Company Reserves the right to intercept and
review all email communications."
Open International Limited. Registered Office: Buckholt Drive, Warndon,
Worcester, WR4 9SR.
Registered in England. Registered No: 05716519
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
RE: ldap.passwd_s with Active Direcory
Michael,
Thanks for the quick response, much appreciated. I guess I've been barking up
the wrong tree then :)
If I try the alternative method however:
mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )]
dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local'
r = l.modify_s(dn, mod_attrs)
I get:
{'info': '001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM),
data 0\n', 'desc': 'Server is unwilling to perform'}
I guess I'm still missing something :(
One thing which may be relevant is if I use l.start_tls_s() before
simple_bind_s, the login fails although without start_tls_s Wireshark shows the
connection to be encrypted.
Thanks again
Mike Peters
> -Original Message-
> From: Michael Ströder [mailto:[email protected]]
> Sent: 04 August 2009 17:29
> To: Mike Peters
> Cc: [email protected]
> Subject: Re: ldap.passwd_s with Active Direcory
>
> [email protected] wrote:
> >
> > I'm not sure if this is the right place for this query, but I
> couldn't
> > find a python-LDAP-Users list.
> >
> > I'm trying to modify a user's password on an Windows 2003 Active
> > directory using passwd_s, however the server is returning the
> following
> > error:
> >
> > {'info': '203D: LdapErr: DSID-0C090C7D, comment: Unknown extended
> > request OID, data 0, vece', 'desc': 'Protocol error'}
> >
> > I realise this is a server configuration thing as opposed to a
> > python-ldap issue, but google hasn't been any help so far. Does
> anyone
> > here know what it is I need to enable/change in order to get it to
> work?
>
> This is because Windows 2003 AD does not support the LDAP Password
> Modify
> Extended Operation (see RFC 3062).
>
> > The connection is using ldaps:// on port 636 and I can search the AD
> and
> > modify other values eg givenName etc, just not passwords, and I'm
> > binding as domain administrator.
>
> There's a MSDN article about how to set attribute unicodePwd via LDAP
> in AD.
>
> Ciao, Michael.
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now. http://p.sf.net/sfu/bobj-july
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
RE: ldap.passwd_s with Active Direcory
> -Original Message- > From: Michael Ströder [mailto:[email protected]] > Sent: 04 August 2009 18:23 > To: Mike Peters > Cc: [email protected] > Subject: Re: ldap.passwd_s with Active Direcory > > [email protected] wrote: > > > >> There's a MSDN article about how to set attribute unicodePwd via > LDAP > >> in AD. > > > > If I try the alternative method however: > > > > mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )] > > dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local' > > r = l.modify_s(dn, mod_attrs) > > > > I get: > > > > {'info': '001F: SvcErr: DSID-031A0FC0, problem 5003 > (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to > perform'} > > > > I guess I'm still missing something :( > > Did you search for the MSDN article? The value has to be in your case > above: > > '"password"'.encode('utf-16-le') > > Note the quotes and the UTF-16 low-endian encoding. > Thanks again for your help. I tried that but to no avail. I still get the same error. Do you know if the fact I'm accessing the server over a VPN would make any difference? Mike Peters -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
RE: ldap.passwd_s with Active Direcory
> -Original Message- > From: Michael Ströder [mailto:[email protected]] > Sent: 05 August 2009 16:11 > To: Mike Peters > Cc: [email protected] > Subject: Re: ldap.passwd_s with Active Direcory > > [email protected] wrote: > > Michael Ströder wrote: > >> Did you search for the MSDN article? The value has to be in your > case > >> above: > >> > >> '"password"'.encode('utf-16-le') > >> > >> Note the quotes and the UTF-16 low-endian encoding. > > > > Thanks again for your help. I tried that but to no avail. I still get > the > > same error. > > It should work. It's the way I've implemented it in web2ldap. You must > use > either LDAPS or StartTLS ext.op. > > You might wanna look what's going on by setting trace_level=2 when > calling > ldap.initialize(). > With trace_level=2 I get the following: In [1]: import ldap In [2]: l = ldap.initialize("ldaps://ad01.demo.local:636", trace_level=2) *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.set_option ((17, 3),{}) In [3]: l.simple_bind_s(u'u...@addemo', u'secret') *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.simple_bind ((u'u...@addemo', u'secret', None, None),{}) => result: 1 *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.result3 ((1, 1, -1),{}) => result: (97, [], 1, []) Out[3]: (97, []) In [4]: mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', '"password"'.encode('utf-16-le') )] In [5]: dn = 'CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local' In [6]: r = l.modify_s(dn, mod_attrs)*** ldaps://ad01.demo.local:636 - SimpleLDAPObject.modify_ext (('CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local', [(2, 'unicodePwd', '"\x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00"\x00')], None, None),{}) => result: 2 *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.result3 ((2, 1, -1),{}) => LDAPError - UNWILLING_TO_PERFORM: {'info': '052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'} ERROR: An unexpected error occurred while tokenizing input The following traceback may be corrupted or invalid The error message is: ('EOF in multi-line statement', (134, 0)) --- UNWILLING_TO_PERFORM Traceback (most recent call last) /home/django/pplace/ in () /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in modify_s(self, dn, modlist) 326 def modify_s(self,dn,modlist): 327 msgid = self.modify(dn,modlist) --> 328 return self.result(msgid,all=1,timeout=self.timeout) 329 330 def modrdn(self,dn,newrdn,delold=1): /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in result(self, msgid, all, timeout) 426 polling (timeout = 0), in which case (None, None) is returned. 427 """ --> 428 res_type,res_data,res_msgid = self.result2(msgid,all,timeout) 429 return res_type,res_data 430 /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in result2(self, msgid, all, timeout) 430 431 def result2(self,msgid=_ldap.RES_ANY,all=1,timeout=None): --> 432 res_type, res_data, res_msgid, srv_ctrls = self.result3(msgid,all,timeout) 433 return res_type, res_data, res_msgid 434 /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in result3(self, msgid, all, timeout) 436 if timeout is None: 437 timeout = self.timeout --> 438 ldap_result = self._ldap_call(self._l.result3,msgid,all,timeout) 439 if ldap_result is None: 440 rtype, rdata, rmsgid, decoded_serverctrls = (None,None,None,None) /usr/lib/python2.5/site-packages/ldap/ldapobject.pyc in _ldap_call(self, func, *args, **kwargs) 94 try: 95 try: ---> 96 result = func(*args,**kwargs) 97 finally: 98 self._ldap_object_lock.release() UNWILLING_TO_PERFORM: {'info': '052D: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'} Does the encoded password look right? Thanks Mike Peters -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
RE: ldap.passwd_s with Active Direcory
> -Original Message- > From: Michael Ströder [mailto:[email protected]] > Sent: 06 August 2009 00:49 > To: Mike Peters > Cc: [email protected] > Subject: Re: ldap.passwd_s with Active Direcory > > [email protected] wrote: > > *** ldaps://ad01.demo.local:636 - SimpleLDAPObject.simple_bind > ((u'u...@addemo', u'secret', None, None),{}) > > First of all you should not pass Unicode strings to python-ldap. That's > not a > problem for the actual values you used though in this example but in > general > up to now python-ldap only receives raw strings as arguments. OK, thanks. I'll bear that in mind. > > > In [4]: mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', > '"password"'.encode('utf-16-le') )] > > In [5]: dn = 'CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local' > > > > In [6]: r = l.modify_s(dn, mod_attrs)*** ldaps://ad01.demo.local:636 > - SimpleLDAPObject.modify_ext (('CN=Barney > Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local', [(2, 'unicodePwd', > '"\x00p\x00a\x00s\x00s\x00w\x00o\x00r\x00d\x00"\x00')], None, None),{}) > > Unfortunately I can't tell whether > u...@addemo and CN=Barney Rubble,OU=Users,OU=ADDEMO,DC=demo,DC=local > are the same AD user entry. > > I vaguely remember that when setting your own password you have to > explicitly > delete the old one and add the new one. Dig for the MSDN article. > No, I'm using a different user. I've tried a couple of different users including Administrator in case it is user permissions. I've looked at the MSDN article and can't see anything in there different. Thanks Mike Peters -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
