Re: ldap.passwd_s with Active Direcory

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Mik...@op... wrote:
>> -----Original Message-----
>> From: Michael Ströder [mailto:mi...@st...]
>> Sent: 04 August 2009 18:23
>> To: Mike Peters
>> Cc: pyt...@li...
>> Subject: Re: ldap.passwd_s with Active Direcory
>>
>> Mik...@op... wrote:
>>>> There's a MSDN article about how to set attribute unicodePwd via
>> LDAP
>>>> in AD.
>>> If I try the alternative method however:
>>>
>>> mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )]
>>> dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local'
>>> r = l.modify_s(dn, mod_attrs)
>>>
>>> I get:
>>>
>>> {'info': '0000001F: SvcErr: DSID-031A0FC0, problem 5003
>> (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to
>> perform'}
>>> I guess I'm still missing something :(
>> Did you search for the MSDN article? The value has to be in your case
>> above:
>>
>> '"password"'.encode('utf-16-le')
>>
>> Note the quotes and the UTF-16 low-endian encoding.
>>
> 
> Thanks again for your help. I tried that but to no avail. I still get the same error. Do you know if the fact I'm accessing the server over a VPN would make any difference?
> 

For what it's worth, this is the working code I use to set the password. I didn't realize
you could use the -le suffix to get an encoding without the byte order mark which I've
just been stripping off. The example posted above should be equivalent.

ldap_conn.modify_s(dn, [
	(
		ldap.MOD_REPLACE,
		'unicodePwd',
		''.join(('"', pwd, '"')).encode('utf-16').lstrip('\377\376'),
	)
])

Another thing to note is that the connection must be under a TLS layer.

-- 
Russell A. Jackson <ra...@cs...>
Network Analyst
California State University, Bakersfield

Excellent day to have a rotten day.