Re: AD password change with Net::LDAP

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

As Dave Mills once put it so eloquently:

> On the same note, has anyone been able to get password changing using
> Net::LDAP working against AD?  I have been able able to get it working
> via a C program running on FreeBSD, but I haven't been able to get the
> password change (NOT password set) functionality to work.  According to
> http://support.microsoft.com/support/kb/articles/Q269/1/90.ASP?LN=EN-US&
> SD=gn&FR=0&qry=change%20password%20ldap&rnk=3&src=DHCS_MSPSS_gn_SRCH&SPR
> =WIN2000 you have to have a delete and add operation in a single modify
> request.  I'm using 128-bit SSL encryption and formatting the data as
> the article specified....  Any tips would be appreciated.

The article is correct in that you have to have an SSL connection
(Net::LDAPS works great), but it lies about only working in certain
operations.  I've had it succeed in entry-adds and entry-modifies with 
other attibutes.

You *do* have to format it the way they want, though; quoted and in
UTF-16(?) format (16 bits per character, little-endian):

  # done; now, if there's still a unicodePwd, then UTF-16(?) it
  # and base64 encode it and make sure it gets sent that way.
  my $opw = $entry->get_value('unicodePwd');  # plaintext actual pw
  if (defined $opw) {
    my $upw = pack "v*", unpack "C*", qq("$opw");
    &change_changes($entry, 'replace', 'unicodePwd', $upw);
  }

Failing to do this results in an error (probably WILL_NOT_PERFORM or
CONSTRAINT_ATT_TYPE). 

This is assuming you're doing it with Administratorish permissions,
too; all bets are off if you're binding as the user.

%%  Christopher A. Bongaarts  %%  ca...@tc...       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%