perl-ldap-dev

AD password change with Net::LDAP

[Dave M. <dm...@ju...>]

On the same note, has anyone been able to get password changing using
Net::LDAP working against AD?  I have been able able to get it working
via a C program running on FreeBSD, but I haven't been able to get the
password change (NOT password set) functionality to work.  According to
http://support.microsoft.com/support/kb/articles/Q269/1/90.ASP?LN=3DEN-US=
&
SD=3Dgn&FR=3D0&qry=3Dchange%20password%20ldap&rnk=3D3&src=3DDHCS_MSPSS_gn=
_SRCH&SPR
=3DWIN2000 you have to have a delete and add operation in a single =
modify
request.  I'm using 128-bit SSL encryption and formatting the data as
the article specified....  Any tips would be appreciated.

Thanks,
Dave

> -----Original Message-----
> From: Graham Barr [mailto:gb...@po...]=20
> Sent: Tuesday, July 03, 2001 12:22 PM
> To: Christopher A Bongaarts
> Cc: per...@li...
> Subject: Re: changing Net::LDAP::Entry changes
>=20
>=20
> You could dive into the changes structure directly, but I=20
> would not reccomentd it.
>=20
> If it is just attribute names that need changing, why not=20
> write a filter script which reads the ldif and outputs a=20
> modified ldif file for use with Active Directory ?
>=20
> Graham.
>=20
> On Thu, Jun 28, 2001 at 05:27:00PM -0500, Christopher A=20
> Bongaarts wrote:
> > The situation: we're populating MS Active Directory from a UNIX box=20
> > using LDAPS.  Our strategy is:
> >=20
> > (1) Read changes from an LDIF-formatted file using Net::LDAP::LDIF's
> >     read_cmd() method
> > (2) Tweak the changes to make them work with Active Directory
> > (3) Send the changes to AD using Net::LDAP::Entry's update() method
> >=20
> > (1) and (3) work beautifully.  (2) has become the stumbling block,=20
> > specifically for "modify" requests.
> >=20
> > Active Directory is particular about the format of the unicodePwd=20
> > attribute.  So I'm taking the value from the LDIF file and=20
> converting=20
> > it to the format that AD wants, then using=20
> Net::LDAP::Entry::replace()=20
> > to ditch the old value and plug in the new one. =20
> Unfortunately, this=20
> > results in the internal "changes" array having *two* replace
> > operations: the original replace operation read in from the=20
> LDIF file,
> > and the new one I put in there.  AD barfs on the first one as
> > expected.
> >=20
> > What I really want to do is "change the changes", not add a=20
> new change
> > to the list of changes.  My temporary workaround will likely be to
> > muck with the "changes" array directly.  But I'm open to better
> > solutions.  I see there is an (undocumented?) "changes" method that
> > returns the contents of the changes array.  Perhaps if it returned a
> > reference to the array I could muck with it without depending on the
> > internal representation of the Entry object.
> >=20
> > %%  Christopher A. Bongaarts  %%  ca...@tc...       %%
> > %%  Internet Services         %%  http://umn.edu/~cab  %%
> > %%  University of Minnesota   %%  +1 (612) 625-1809    %%
> >=20
>=20
>=20

Re: AD password change with Net::LDAP

[Graham B. <gb...@po...>]

Try this

$ldap->modify($DN,
  changes => [
    delete => [$attr => []],
    add => [ $attr => $value ]
  ]
);

There is an explaination of this in the pod

Graham.

On Tue, Jul 03, 2001 at 01:20:10PM -0700, Dave Mills wrote:
> On the same note, has anyone been able to get password changing using
> Net::LDAP working against AD?  I have been able able to get it working
> via a C program running on FreeBSD, but I haven't been able to get the
> password change (NOT password set) functionality to work.  According to
> http://support.microsoft.com/support/kb/articles/Q269/1/90.ASP?LN=EN-US&
> SD=gn&FR=0&qry=change%20password%20ldap&rnk=3&src=DHCS_MSPSS_gn_SRCH&SPR
> =WIN2000 you have to have a delete and add operation in a single modify
> request.  I'm using 128-bit SSL encryption and formatting the data as
> the article specified....  Any tips would be appreciated.
> 
> Thanks,
> Dave
> 
> > -----Original Message-----
> > From: Graham Barr [mailto:gb...@po...] 
> > Sent: Tuesday, July 03, 2001 12:22 PM
> > To: Christopher A Bongaarts
> > Cc: per...@li...
> > Subject: Re: changing Net::LDAP::Entry changes
> > 
> > 
> > You could dive into the changes structure directly, but I 
> > would not reccomentd it.
> > 
> > If it is just attribute names that need changing, why not 
> > write a filter script which reads the ldif and outputs a 
> > modified ldif file for use with Active Directory ?
> > 
> > Graham.
> > 
> > On Thu, Jun 28, 2001 at 05:27:00PM -0500, Christopher A 
> > Bongaarts wrote:
> > > The situation: we're populating MS Active Directory from a UNIX box 
> > > using LDAPS.  Our strategy is:
> > > 
> > > (1) Read changes from an LDIF-formatted file using Net::LDAP::LDIF's
> > >     read_cmd() method
> > > (2) Tweak the changes to make them work with Active Directory
> > > (3) Send the changes to AD using Net::LDAP::Entry's update() method
> > > 
> > > (1) and (3) work beautifully.  (2) has become the stumbling block, 
> > > specifically for "modify" requests.
> > > 
> > > Active Directory is particular about the format of the unicodePwd 
> > > attribute.  So I'm taking the value from the LDIF file and 
> > converting 
> > > it to the format that AD wants, then using 
> > Net::LDAP::Entry::replace() 
> > > to ditch the old value and plug in the new one.  
> > Unfortunately, this 
> > > results in the internal "changes" array having *two* replace
> > > operations: the original replace operation read in from the 
> > LDIF file,
> > > and the new one I put in there.  AD barfs on the first one as
> > > expected.
> > > 
> > > What I really want to do is "change the changes", not add a 
> > new change
> > > to the list of changes.  My temporary workaround will likely be to
> > > muck with the "changes" array directly.  But I'm open to better
> > > solutions.  I see there is an (undocumented?) "changes" method that
> > > returns the contents of the changes array.  Perhaps if it returned a
> > > reference to the array I could muck with it without depending on the
> > > internal representation of the Entry object.
> > > 
> > > %%  Christopher A. Bongaarts  %%  ca...@tc...       %%
> > > %%  Internet Services         %%  http://umn.edu/~cab  %%
> > > %%  University of Minnesota   %%  +1 (612) 625-1809    %%
> > > 
> > 
> > 
> 

Re: AD password change with Net::LDAP

[Christopher A B. <ca...@tc...>]

As Graham Barr once put it so eloquently:

> $ldap->modify($DN,
>   changes => [
>     delete => [$attr => []],
>     add => [ $attr => $value ]
>   ]
> );
[...]

Actually, this inspired me to a more "correct" solution for my problem 
below: instead of doing $entry->update, do something like

  my @changes = $entry->changes();
  &munge_changes(\@changes);
  $ldap->modify($entry, changes => \@changes);

> > > > What I really want to do is "change the changes", not add a 
> > > new change
> > > > to the list of changes.  My temporary workaround will likely be to
> > > > muck with the "changes" array directly.  But I'm open to better
> > > > solutions.  I see there is an (undocumented?) "changes" method that
> > > > returns the contents of the changes array.  Perhaps if it returned a
> > > > reference to the array I could muck with it without depending on the
> > > > internal representation of the Entry object.

%%  Christopher A. Bongaarts  %%  ca...@tc...       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%

Re: AD password change with Net::LDAP

[Christopher A B. <ca...@tc...>]

As Dave Mills once put it so eloquently:

> On the same note, has anyone been able to get password changing using
> Net::LDAP working against AD?  I have been able able to get it working
> via a C program running on FreeBSD, but I haven't been able to get the
> password change (NOT password set) functionality to work.  According to
> http://support.microsoft.com/support/kb/articles/Q269/1/90.ASP?LN=EN-US&
> SD=gn&FR=0&qry=change%20password%20ldap&rnk=3&src=DHCS_MSPSS_gn_SRCH&SPR
> =WIN2000 you have to have a delete and add operation in a single modify
> request.  I'm using 128-bit SSL encryption and formatting the data as
> the article specified....  Any tips would be appreciated.

The article is correct in that you have to have an SSL connection
(Net::LDAPS works great), but it lies about only working in certain
operations.  I've had it succeed in entry-adds and entry-modifies with 
other attibutes.

You *do* have to format it the way they want, though; quoted and in
UTF-16(?) format (16 bits per character, little-endian):

  # done; now, if there's still a unicodePwd, then UTF-16(?) it
  # and base64 encode it and make sure it gets sent that way.
  my $opw = $entry->get_value('unicodePwd');  # plaintext actual pw
  if (defined $opw) {
    my $upw = pack "v*", unpack "C*", qq("$opw");
    &change_changes($entry, 'replace', 'unicodePwd', $upw);
  }

Failing to do this results in an error (probably WILL_NOT_PERFORM or
CONSTRAINT_ATT_TYPE). 

This is assuming you're doing it with Administratorish permissions,
too; all bets are off if you're binding as the user.

%%  Christopher A. Bongaarts  %%  ca...@tc...       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%