Menu
▾
▴
Re: Creating Active Directory Objects
|
From: Mike M. <mm...@wy...> - 2007-11-09 13:36:36
|
Thank you to all who responded to my queries. I have been able to =20 successfully create an account and set the password for an AD user on =20= my test server. For those who are interested here is the breakdown of =20= what I did. As I continue to debug and test I will post updates to =20 this topic. Connected via SSL to the server. There is no need to manage =20 certificates on the client since I am not binding, only establishing =20 an LDAP connection. Certificate Services do need to be installed on =20 the server. In the future I plan to try to implement the sasl_bind =20 code that Michael mentioned. To create the account I performed an =20 ldap add and to set the password I performed a modify on the =20 unicodePwd attribute. This has appeared to work successfully. I am =20 able to authenticate as the newly created user, map a home directory, =20= etc. I will need to do further testing to ensure that this is a valid =20= method for creating an account. Once again, thanks to all who provided input! Regards, Mike On Nov 9, 2007, at 4:35 AM, Michael Str=F6der wrote: > Geert Jansen wrote: >> >> Forget about using LDAP to change a user's password. It can be done =20= >> but >> it requires 128-bit SSL and so you need to set up certificate =20 >> services >> and distribute the CA certificate to your client. An easier way is to >> use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 =20= >> and >> later support this protocol. Unfortunately there is no command-line >> interface to this call so you need to create a Python extension =20 >> module >> for wrapping this call. >> >> My (in progress) project FreeADI contains a wrapper for the Set =20 >> Password >> call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at >> freeadi.org. The code is available under the liberal MIT license. > > If you're already on that route you might be interested in the > heimdal-wrapper module by Univention. Its license is GPL. Not sure > whether they support the Set Password protocol though. > > Ciao, Michael. > > = ------------------------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a =20 > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > Python-LDAP-dev mailing list > Pyt...@li... > https://lists.sourceforge.net/lists/listinfo/python-ldap-dev |
