Menu
▾
▴
Re: Creating Active Directory Objects
|
From: Mike M. <mm...@wy...> - 2007-11-08 13:41:52
|
Thanks for your input David. I will read through the MSDN articles to =20= see if they provide me with any inside. I am not familiar with using =20= SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly provide =20= me with a few steps to accomplish this? Thanks, Mike On Nov 8, 2007, at 7:48 AM, David Leonard wrote: > Hi, Mike > > I think AD uses an extension to the Kerberos protocol to change the =20= > password of a user. See = http://msdn2.microsoft.com/en-us/library/ms808911.aspx > As far as I understand it, the unicodePwd attribute is the NT hash =20 > of the user's password. (See = http://msdn2.microsoft.com/en-us/library/ms680513.aspx)=20 > . > Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to =20= > AD's LDAP. It should be a lot easier to manage than SSL certs. > > David > > Mike Matz wrote: >> >> Thanks for the help guys. It got me off to a great start. I have =20= >> successfully created a user in my AD. As you already eluded to, I =20= >> am struggling with the password attribute. Can the password =20 >> attribute be set when creating a user. =46rom what I gathered, the =20= >> password attribute is 'unicodePwd'. This attribute cannot be =20 >> created, it can only be modified. Is this attribute created by =20 >> default when a user is created? Would I be able to do an add and =20 >> then a modify to set the password? I am aware of the fact that =20 >> there are certain restrictions in place in order to modify the =20 >> password. I have setup my AD to include SSL and I am able to bind =20= >> as Administrator over port 636. With that said one of the examples =20= >> I ran across for adding a user refers to another attribute =20 >> 'userPassword'. I am unable to tell what this attribute is. In =20 >> the link below, it appears that the password is being set when the =20= >> entry is added. I have tried this unsuccessfully. I appreicate =20 >> all the help thus far. >> Regards, >> Mike >> >> Example Add Entry - = http://www.grotan.com/ldap/python-ldap-samples.html >> >> >> -----Original Message----- >> From: Geert Jansen [mailto:ge...@bo...] >> Sent: Wed 11/7/2007 1:50 PM >> To: Michael Str=F6der >> Cc: Mike Matz; pyt...@li... >> Subject: Re: Creating Active Directory Objects >> >> Michael Str=F6der wrote: >> >> > I vaguely remember that there are some issues with really =20 >> activating a >> > user entry as a Windows user. But this is not a problem of =20 >> accessing AD >> > via python-ldap. >> > >> >> This indeed rings a bell. You need to create the user as disabled =20 >> (look >> for userAccountControl on MSDN), set a compliant password, and then >> enable him. >> >> Regards, >> Geert >> >> > > --=20 > David Leonard d...@ad... > Ph:+61 404 844 850 |
