AD password change with Net::LDAP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On the same note, has anyone been able to get password changing using
Net::LDAP working against AD?  I have been able able to get it working
via a C program running on FreeBSD, but I haven't been able to get the
password change (NOT password set) functionality to work.  According to
http://support.microsoft.com/support/kb/articles/Q269/1/90.ASP?LN=3DEN-US=
&
SD=3Dgn&FR=3D0&qry=3Dchange%20password%20ldap&rnk=3D3&src=3DDHCS_MSPSS_gn=
_SRCH&SPR
=3DWIN2000 you have to have a delete and add operation in a single =
modify
request.  I'm using 128-bit SSL encryption and formatting the data as
the article specified....  Any tips would be appreciated.

Thanks,
Dave

> -----Original Message-----
> From: Graham Barr [mailto:gb...@po...]=20
> Sent: Tuesday, July 03, 2001 12:22 PM
> To: Christopher A Bongaarts
> Cc: per...@li...
> Subject: Re: changing Net::LDAP::Entry changes
>=20
>=20
> You could dive into the changes structure directly, but I=20
> would not reccomentd it.
>=20
> If it is just attribute names that need changing, why not=20
> write a filter script which reads the ldif and outputs a=20
> modified ldif file for use with Active Directory ?
>=20
> Graham.
>=20
> On Thu, Jun 28, 2001 at 05:27:00PM -0500, Christopher A=20
> Bongaarts wrote:
> > The situation: we're populating MS Active Directory from a UNIX box=20
> > using LDAPS.  Our strategy is:
> >=20
> > (1) Read changes from an LDIF-formatted file using Net::LDAP::LDIF's
> >     read_cmd() method
> > (2) Tweak the changes to make them work with Active Directory
> > (3) Send the changes to AD using Net::LDAP::Entry's update() method
> >=20
> > (1) and (3) work beautifully.  (2) has become the stumbling block,=20
> > specifically for "modify" requests.
> >=20
> > Active Directory is particular about the format of the unicodePwd=20
> > attribute.  So I'm taking the value from the LDIF file and=20
> converting=20
> > it to the format that AD wants, then using=20
> Net::LDAP::Entry::replace()=20
> > to ditch the old value and plug in the new one. =20
> Unfortunately, this=20
> > results in the internal "changes" array having *two* replace
> > operations: the original replace operation read in from the=20
> LDIF file,
> > and the new one I put in there.  AD barfs on the first one as
> > expected.
> >=20
> > What I really want to do is "change the changes", not add a=20
> new change
> > to the list of changes.  My temporary workaround will likely be to
> > muck with the "changes" array directly.  But I'm open to better
> > solutions.  I see there is an (undocumented?) "changes" method that
> > returns the contents of the changes array.  Perhaps if it returned a
> > reference to the array I could muck with it without depending on the
> > internal representation of the Entry object.
> >=20
> > %%  Christopher A. Bongaarts  %%  ca...@tc...       %%
> > %%  Internet Services         %%  http://umn.edu/~cab  %%
> > %%  University of Minnesota   %%  +1 (612) 625-1809    %%
> >=20
>=20
>=20