Menu
▾
▴
perl-ldap-dev
|
From: Douglas P. <Dou...@NA...> - 2002-11-14 22:35:59
|
I was wondering if it was possible to change passwords on Active Directory using Net::LDAP? I've searched quite a bit, and found examples using JNDI, but I can't seem to make it work using Net::LDAP. If it is possible, I would be extremely grateful for some sample source, because I have simply run out of ideas. Thanks Douglas Pace |
|
From: Christopher A B. <ca...@tc...> - 2002-11-15 17:47:29
|
As Douglas Pace once put it so eloquently:
> I was wondering if it was possible to change passwords on Active
> Directory using Net::LDAP? I've searched quite a bit, and found examples
> using JNDI, but I can't seem to make it work using Net::LDAP. If it is
> possible, I would be extremely grateful for some sample source, because
> I have simply run out of ideas.
Heh, this seems to be a FAQ.
There's two requirements for password changes:
(1) You MUST use LDAPS (LDAP over SSL)
(2) You MUST format the password in a particular way (16-bit-wide
characters, surrounded by literal double-quotes, base64 encoded):
# now, if there's still a unicodePwd, then UTF-16(?) it
# and base64 encode it and make sure it gets sent that way.
$password_for_unicodePwd_attribute
= pack "v*", unpack "C*", qq("$password");
# note: Net::LDAP does the base64 encoding for you
I don't know whether it was just our situation that required it or
not, but you might have to send the update to the primary domain
controller (you can identify it using DNS by looking up the SRV record
for _ldap._tcp.pdc._msdcs.yourdomain.xxx, although that will return
the non-SSL port number; you'll have to override it as 636 for LDAPS).
%% Christopher A. Bongaarts %% ca...@tc... %%
%% Internet Services %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
|
|
From: Eric S. <eri...@cs...> - 2002-12-11 00:35:40
|
Hello Gentlemen. I'm trying set a password in Active Directory via
Net::LDAP. I've been running into trouble for a while now. I've read
both your posts on the subject, and have tried your solutions. Needless
to say, neither of them worked for me.
Here is the code I am currently trying. Christopher Bongaarts's method
yielded the same result.
...
sub MakeUnicodePwd # from Norbert Klasen's post
{
my $u = latin1("\"".$_[0]."\"");
$u->byteswap();
return $u->ucs2;
}
my $pass = MakeUnicodePwd("passw0rd1");
$result = $ldaps -> modify($dn, replace => [unicodePwd => $pass]);
print $result -> code()."\n";
print $result -> error()."\n";
The error I get is
19
00002081: AtrErr: DSID-031D0AA0, #1:
0: 00002081: DSID-031D0AA0, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 9005a (unicodePwd)
Constraint violation? Possibly my data is not in the right format? I
have verified that the DN I'm binding as has permission to set the
password. I'm going over SSL (ciphers => "HIGH"). I've tried various
different passwords just to make sure they're not trying to enforce
good passwords at the ldap layer. I'm stumped, any ideas would be very
helpful.
-Eric Stokes
Programmer Analyst,
Information Technology Resources - Middleware Group,
California State University Northridge |
|
From: Chris R. <chr...@ma...> - 2002-12-11 07:13:26
|
On 11/12/02 12:34 am, Eric Stokes <eri...@cs...> wrote:
> Hello Gentlemen. I'm trying set a password in Active Directory via
> Net::LDAP. I've been running into trouble for a while now. I've read
> both your posts on the subject, and have tried your solutions. Needless
> to say, neither of them worked for me.
>
> Here is the code I am currently trying. Christopher Bongaarts's method
> yielded the same result.
> ...
> sub MakeUnicodePwd # from Norbert Klasen's post
> {
> my $u = latin1("\"".$_[0]."\"");
> $u->byteswap();
> return $u->ucs2;
> }
> my $pass = MakeUnicodePwd("passw0rd1");
> $result = $ldaps -> modify($dn, replace => [unicodePwd => $pass]);
> print $result -> code()."\n";
> print $result -> error()."\n";
>
> The error I get is
>
> 19
> 00002081: AtrErr: DSID-031D0AA0, #1:
> 0: 00002081: DSID-031D0AA0, problem 1005 (CONSTRAINT_ATT_TYPE),
> data 0, Att 9005a (unicodePwd)
>
> Constraint violation? Possibly my data is not in the right format? I
Maybe, but there are more appropriate errors to return in that case (eg
invalidAttributeSyntax).
Is there a password policy set in the directory somewhere which your
passwords aren't complying with?
Are you binding as v3? The semantics of replace are (subtly!) different in
LDAPv2.
A longer shot this - is unicodePwd single- or multi-valued, and does it
contain a password before your code is run? I've seen constraint violations
returned (from other directories) when trying to add multiple values to a
single-valued attribute. I know "replace" is meant to cope with all that
but...
Cheers,
Chris
|
|
From: Eric S. <eri...@CS...> - 2002-12-11 18:49:31
|
Ok, thanks for you help, the actual solution is rather strange.
This does not work
$result = $ldaps -> modify($dn, replace => [unicodePwd => $pass]);
While this does work
$result = $ldaps -> modify($dn, replace => {unicodePwd => $pass});
just a guess, we must be sending a ghost operation when [] are used,
and that is killing the whole transaction. Anyway, thanks again.
-E
On Tuesday, December 10, 2002, at 04:34 PM, Eric Stokes wrote:
> Hello Gentlemen. I'm trying set a password in Active Directory via
> Net::LDAP. I've been running into trouble for a while now. I've read
> both your posts on the subject, and have tried your solutions.
> Needless to say, neither of them worked for me.
>
> Here is the code I am currently trying. Christopher Bongaarts's method
> yielded the same result.
> ...
> sub MakeUnicodePwd # from Norbert Klasen's post
> {
> my $u = latin1("\"".$_[0]."\"");
> $u->byteswap();
> return $u->ucs2;
> }
> my $pass = MakeUnicodePwd("passw0rd1");
> $result = $ldaps -> modify($dn, replace => [unicodePwd => $pass]);
> print $result -> code()."\n";
> print $result -> error()."\n";
>
> The error I get is
>
> 19
> 00002081: AtrErr: DSID-031D0AA0, #1:
> 0: 00002081: DSID-031D0AA0, problem 1005
> (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
>
> Constraint violation? Possibly my data is not in the right format? I
> have verified that the DN I'm binding as has permission to set the
> password. I'm going over SSL (ciphers => "HIGH"). I've tried various
> different passwords just to make sure they're not trying to enforce
> good passwords at the ldap layer. I'm stumped, any ideas would be very
> helpful.
>
>
> -Eric Stokes
>
> Programmer Analyst,
> Information Technology Resources - Middleware Group,
> California State University Northridge |
|
From: Chris R. <chr...@ma...> - 2002-12-11 19:13:29
|
On 11/12/02 6:49 pm, Eric Stokes <eri...@CS...> wrote:
> Ok, thanks for you help, the actual solution is rather strange.
>
> This does not work
> $result = $ldaps -> modify($dn, replace => [unicodePwd => $pass]);
>
> While this does work
> $result = $ldaps -> modify($dn, replace => {unicodePwd => $pass});
>
> just a guess, we must be sending a ghost operation when [] are used,
> and that is killing the whole transaction. Anyway, thanks again.
I think I've seen that before - if you use [...] you get a replace with an
empty AttributeTypeAndValues SEQUENCE encoded and sent to the server. It
would be a bug if it did that, as that is not legal in LDAP's ASN.1.
I'll see if I can verify that and rustle a patch up, but I'm kind of busy
ATM.
Cheers,
Chris
|
|
From: Graham B. <gb...@po...> - 2002-12-11 19:28:21
|
On Wed, Dec 11, 2002 at 10:49:20AM -0800, Eric Stokes wrote:
> Ok, thanks for you help, the actual solution is rather strange.
>
> This does not work
> $result = $ldaps -> modify($dn, replace => [unicodePwd => $pass]);
>
> While this does work
> $result = $ldaps -> modify($dn, replace => {unicodePwd => $pass});
>
> just a guess, we must be sending a ghost operation when [] are used,
> and that is killing the whole transaction. Anyway, thanks again.
Its a bug. In both cases if you replace $pass wit [$pass] it should work.
This gets done for you when using a HASH, it should also when using
an ARRAY
Graham.
>
> -E
>
> On Tuesday, December 10, 2002, at 04:34 PM, Eric Stokes wrote:
>
>
> > Hello Gentlemen. I'm trying set a password in Active Directory via
> > Net::LDAP. I've been running into trouble for a while now. I've
> > read both your posts on the subject, and have tried your solutions.
> > Needless to say, neither of them worked for me.
> >
> > Here is the code I am currently trying. Christopher Bongaarts's
> > method yielded the same result.
> > ...
> > sub MakeUnicodePwd # from Norbert Klasen's post
> >
> > {
> >
> > my $u = latin1("\"".$_[0]."\"");
> >
> > $u->byteswap();
> >
> > return $u->ucs2;
> >
> > }
> > my $pass = MakeUnicodePwd("passw0rd1");
> >
> > $result = $ldaps -> modify($dn, replace => [unicodePwd => $pass]);
> >
> > print $result -> code()."\n";
> >
> > print $result -> error()."\n";
> >
> >
> > The error I get is
> >
> > 19
> > 00002081: AtrErr: DSID-031D0AA0, #1:
> > 0: 00002081: DSID-031D0AA0, problem 1005
> > (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)
> >
> > Constraint violation? Possibly my data is not in the right format?
> > I have verified that the DN I'm binding as has permission to set
> > the password. I'm going over SSL (ciphers => "HIGH"). I've tried
> > various different passwords just to make sure they're not trying to
> > enforce good passwords at the ldap layer. I'm stumped, any ideas
> > would be very helpful.
> >
> >
> > -Eric Stokes
> >
> > Programmer Analyst,
> > Information Technology Resources - Middleware Group,
> > California State University Northridge
>
>
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X