Re: Setting password

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 2005-05-24 at 14:21 +0200, Daniel LB wrote:
> Yes, I am doing this with AD.
> I tried what you said and the error message I got back was
> WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's
> because I don't use any encryption on my connection.

Perhaps. AD has the habit of throwing the WILL_NOT_PERFORM error in all
kinds of weird situations. :)

> But, since I'm only connecting to localhost, is encryption really neces=
sary?

The short answer is "yes". :) The long answer is that this is a
restriction that AD imposes upon us:

"The password is stored in the Active Directory on a user object in the
unicodePwd attribute. This attribute can be written under restricted
conditions, but it cannot be read. The attribute can only be modified;
it cannot be added on object creation or queried by a search. In order
to modify this attribute, the client must have a 128-bit Secure Socket
Layer (SSL) connection to the server. For this connection to be
possible, the server must possess a server certificate for a 128-bit RSA
connection, the client must trust the certificate authority (CA) that
generated the server certificate, and both client and server must be
capable of 128-bit encryption."

This is from:
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;269190

> Anyway.. could you give me an example of how you establish your
> encrypted connection?

What Bj=F8rn says is largely correct, except that with AD you have to go
through some pain to get it to do LDAP/SSL. It's much more painful than
with OpenLDAP, unfortunately (my kingdom for a simple config file!).
Here's what you do:

1) Install an "Enterprise Certificate Authority" onto your AD server.
You can do this through the Control Panel -> "Add/Remove Windows
Components"

2) You'll need to create 2 new "Automatic Certificate Requests", one for
"Computer" and one for "Domain Controller". Do this via "Domain
Controller Security Policy" -> "Computer Configuration" -> "Windows
Settings" -> "Security Settings" -> "Public Key Policies" ->
(right-click on "Automatic Certificate Request Settings) -> (choose
"New") -> (choose "Automatic Certificate Request). Do this step twice,
once to make a "Computer" cert, and once for a "Domain Controller" cert.

3) At this point, you should be able to connect via SSL (I'm not sure if
the AD server requires a reboot or not...)

4) Here's how I establish an SSL connection in Python:

import ldap

# Disable strict certificate checking, since you've made up your
# own certificate for SSL
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

# Disable OpenLDAP referral chasing, which can cause trouble with
# AD
ldap.set_option(ldap.OPT_REFERRALS, 0)

# Create the connection
conn =3D ldap.initialize("ldaps://localhost")
conn.simple_bind_s("username", "password")

Ta da!

I know it's a lot of work, but that's the only way I know of to get AD
to do LDAP/SSL. Here is a (pretty worthless) article from MSDN about it:

http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;247078

Hope this helps! :)

Cheers,
deepak

--
Deepak Giridharagopal