It's well documented. AD won't allow you to change a password over LDAP
389.
Enabling SSL LDAP is quite easy. Simply make one of the domain controllers
a Certificate Authority. That automatically turns on LDAPS on all DCs.
--
Justin B. Alcorn
The views expressed here are not necessarily my ow
I am doing things much the same way Dan is. Using the Net:LDAP:LDIF modules to
create LDIF to update AD with via ldapadd/modify. I use Kerberos authentication
so I don't have to worry about using SSL.
Microsoft has a simple guide for setting up SSL on a DC -
http://support.microsoft.com/kb/3210
