python-ldap-dev

Re: Creating Active Directory Objects

[Randy <wis...@gm...>]

Mike (or anyone else who has successfully changed an Active Directory
password using python-ldap over SSL),

I have not found an update in the archives to your last message on
this subject (below).  Can you perhaps share some Python code showing
how to add or change the password for an Active Directory user via
LDAP over SSL?

Thanks!

- Randy Wiser

> From: Mike Matz <mmatz@wy...> - 2007-11-09 13:36
> Thank you to all who responded to my queries. I have been able to
> successfully create an account and set the password for an AD user on
> my test server. For those who are interested here is the breakdown of
> what I did. As I continue to debug and test I will post updates to
> this topic.

> Connected via SSL to the server. There is no need to manage
> certificates on the client since I am not binding, only establishing
> an LDAP connection. Certificate Services do need to be installed on
> the server. In the future I plan to try to implement the sasl_bind
> code that Michael mentioned. To create the account I performed an
> ldap add and to set the password I performed a modify on the
> unicodePwd attribute. This has appeared to work successfully. I am
> able to authenticate as the newly created user, map a home directory,
> etc. I will need to do further testing to ensure that this is a valid
> method for creating an account.

> Once again, thanks to all who provided input!
> Regards,
> Mike

Re: Creating Active Directory Objects

[Michael S. <mi...@st...>]

Randy wrote:
> Mike (or anyone else who has successfully changed an Active Directory
> password using python-ldap over SSL),
> 
> I have not found an update in the archives to your last message on
> this subject (below).  Can you perhaps share some Python code showing
> how to add or change the password for an Active Directory user via
> LDAP over SSL?

Recent web2ldap changes unicodePwd in AD. You could set trace_level=2 in 
etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap.

For the SSL part see Demo/initialize.py in python-ldap's source 
distribution. Off course you have to check back with your admin whether 
SSL is enabled in your AD DCs and which CA cert to install on the client 
side.

Ciao, Michael.

Re: Creating Active Directory Objects

[<wis...@gm...>]

On 8/30/08, Michael Ströder <mi...@st...> wrote:
> Randy wrote:
>> Mike (or anyone else who has successfully changed an Active Directory
>> password using python-ldap over SSL),
>>
>> I have not found an update in the archives to your last message on
>> this subject (below).  Can you perhaps share some Python code showing
>> how to add or change the password for an Active Directory user via
>> LDAP over SSL?
>
> Recent web2ldap changes unicodePwd in AD. You could set trace_level=2 in
> etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap.
>
> For the SSL part see Demo/initialize.py in python-ldap's source
> distribution. Off course you have to check back with your admin whether
> SSL is enabled in your AD DCs and which CA cert to install on the client
> side.
>
> Ciao, Michael.
>

Thanks for the quick reply Michael.

I installed web2ldap 0.16.41, but have not been able to connect via
SSL and Bind to my Active Directory test machine (running Microsoft's
ADAM server on WinXP, which I have successfully
connected/authenticated with over SSL using MS's ldp.exe utility).  I
am not completely sure I need to do a simple bind, in order to change
a user password in Active Directory, when I have both the old and new
passwords, given the other comments by Mike in this thread.

Does web2ldap have a public SVN or CVS repository where I might view
the changes that allow web2ldap to change the unicodePwd in AD, and
hence get some hint as to where in the code this magic is happening?

This task may be easy for someone with LDAP experience, but I have
virtually no experience with LDAP (or AD either).

Thanks again,

- Randy

Re: Creating Active Directory Objects

[Mike M. <mm...@wy...>]

Hi Randy,

My apologies for not getting back to you sooner.  Here is a crude  
example of the code I used to create/modify a password using Python  
LDAP.  The trick to modifying the password is encoding in unicode.  I  
am still trying to find my bookmark to a discussion board that  
explains how this works.  Once I find it I will post it here as well.   
Unfortunately I have not had anytime over the past few months to work  
on my code so I do not have a whole lot more that I can give you at  
the moment.  I plan to begin work again this fall and any changes or  
advancements I make I will be sure to post.  If you find a better way  
to achieve AD account manipulation please let me know.
Thanks,
Mike

import ldap
import ldap.modlist as modlist


server = "ldaps://jebediah.springfield.org:636"
who = "adm...@sp..."
cred = "password"
path = "ou=Students,ou=Accounts,dc=springfield,dc=org"
keyword = "simpson"

dn = 'cn=jjones,ou=Accounts,dc=springfield,dc=org'
attrs = {}
attrs['objectclass'] = ['top', 'person', 'organizationalPerson','user']
attrs['cn'] = 'jjones'
attrs['userPassword'] = 'jimbo'
attrs['userPrincipalName'] = 'jjones'
attrs['sAMAccountName'] = 'jjones'
attrs['givenName'] = 'Jimbo'
attrs['sn'] = 'Jones'
attrs['DisplayName'] = 'Jimbo Jones'
attrs['description'] = 'A brief description'
attrs['userAccountControl'] = '512'

password = "jimbo"
password_attr = "unicodePwd"
unicode1 = unicode("\"" + password + "\"", "iso-8859-1")
unicode2 = unicode1.encode("utf-16-le")
password_value = unicode2
mods = [(ldap.MOD_REPLACE, password_attr, [password_value])]


ldif = modlist.addModlist(attrs)

l = ldap.initialize(server)
l.simple_bind_s(who, cred)

l.add_s(dn, ldif)

l.modify(dn, mods)

l.unbind_s()

On Sep 2, 2008, at 6:27 PM, <wis...@gm...> <wis...@gm... 
 > wrote:

> On 8/30/08, Michael Ströder <mi...@st...> wrote:
>> Randy wrote:
>>> Mike (or anyone else who has successfully changed an Active  
>>> Directory
>>> password using python-ldap over SSL),
>>>
>>> I have not found an update in the archives to your last message on
>>> this subject (below).  Can you perhaps share some Python code  
>>> showing
>>> how to add or change the password for an Active Directory user via
>>> LDAP over SSL?
>>
>> Recent web2ldap changes unicodePwd in AD. You could set  
>> trace_level=2 in
>> etc/web2ldap/web2ldapcnf/misc.py to see what's passed to python-ldap.
>>
>> For the SSL part see Demo/initialize.py in python-ldap's source
>> distribution. Off course you have to check back with your admin  
>> whether
>> SSL is enabled in your AD DCs and which CA cert to install on the  
>> client
>> side.
>>
>> Ciao, Michael.
>>
>
> Thanks for the quick reply Michael.
>
> I installed web2ldap 0.16.41, but have not been able to connect via
> SSL and Bind to my Active Directory test machine (running Microsoft's
> ADAM server on WinXP, which I have successfully
> connected/authenticated with over SSL using MS's ldp.exe utility).  I
> am not completely sure I need to do a simple bind, in order to change
> a user password in Active Directory, when I have both the old and new
> passwords, given the other comments by Mike in this thread.
>
> Does web2ldap have a public SVN or CVS repository where I might view
> the changes that allow web2ldap to change the unicodePwd in AD, and
> hence get some hint as to where in the code this magic is happening?
>
> This task may be easy for someone with LDAP experience, but I have
> virtually no experience with LDAP (or AD either).
>
> Thanks again,
>
> - Randy
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's  
> challenge
> Build the coolest Linux based applications with Moblin SDK & win  
> great prizes
> Grand prize is a trip for two to an Open Source event anywhere in  
> the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Python-LDAP-dev mailing list
> Pyt...@li...
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev