Front page | perl.ldap |
Postings from April 2011
Prentice,
Try using LDAPS. The setup for this isn't terribly easy but once you've got the keys in place, AD seems more friendly.
From my understanding AD will only let you make "security related" changes over secured (encrypted) connections (-Z) switch below...
ie: ldapmodify -c -x -D "CN=ldap Admin,OU=ServiceAccounts,DC=mycompany,DC=com" -w 'supersecretpw' -f new_users_pw.ldif -H ldaps://dc01.mycompany.com -Z
I typically write perl code to create LDIF files, then use "ldappmodify" with wire encryption.
If I don't use encryption, AD rejects all security related changes.
Hope that helps.
--Dan
-----Original Message-----
From: Prentice Bisbal [mailto:prentice@ias.edu]
Sent: Thursday, April 28, 2011 3:07 PM
To: perl-ldap@perl.org
Subject: Can't change passwd in AD 2008 R2
We recently updated our Active Directory servers to 2008 R2. I had a
perl script that would change a users password in OpenLDAP and Active
Directory at the same time. This was working fine until the update. I
can still change a user's password when I bind as an AD administrator,
but not as a normal user. Has anyone else here gone through this?
I know the that behavior or replacing a password is different whether
you are an administrator or regular user changing your own password, as
documented here:
http://support.microsoft.com/?kbid=269190
I wrote this code based on the above link:
# AD doesn't allow non-admin users to replace their password.
# Instead, it must be deleted and re-added. Administrators can only
# replace a password.
if ($username ne getlogin()) {
$mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
$newUnicodePwd} );
} else {
$mesg = $ad->modify($ad_user_dn, delete=>{unicodePwd =>
$newUnicodePwd});
$code = $mesg->code;
if ($code != 0) {
$mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
$newUnicodePwd} );
}
}
This worked for just fine until the upgrade to 2008 R2. Any ideas?
--
Prentice
Thread Previous
|
Thread Next