python-ldap-dev

Setting password

[Daniel LB <dan...@gm...>]

Hi

Is it possible to set a user's password without knowing the old
password with python-ldap?

I have only come across the passwd(user,oldpw,newpw) function, which
requires the old password, but if you are logged in as Administrator
you should be able to *set* the users' password directly, no?

//daniel

Re: Setting password

[Bjorn O. G. <bjo...@it...>]

Daniel LB:
> Hi
>=20
> Is it possible to set a user's password without knowing the old
> password with python-ldap?
>=20
> I have only come across the passwd(user,oldpw,newpw) function, which
> requires the old password, but if you are logged in as Administrator
> you should be able to *set* the users' password directly, no?

Just use the function modify_s to do such modifications.

import ldap
import ldap.modlist as modlist
newattrs =3D {'userPassword': '1337secret'}
old =3D l.search_s(base,ldap.SCOPE_SUBTREE,"uid=3Dsomeuser",[])[0][1]['us=
erPassword'][0]

# Given that you're binding with a user with read-priv to userPassword.
attrs =3D modlist.modifyModlist(old,newattrs)
l.modify_s(dn,attrs)


# Alternatively, make a list of change-commands. I think its documented
# in the module, so just play along with help(ldap.modify_s) or
# something.

--=20
Regards
=20
Bj=F8rn Ove Gr=F8tan

Re: Setting password

[Deepak G. <de...@ar...>]

On Mon, 2005-05-23 at 13:06 +0200, Daniel LB wrote:
> I have only come across the passwd(user,oldpw,newpw) function, which
> requires the old password, but if you are logged in as Administrator
> you should be able to *set* the users' password directly, no?

Are you doing this with Active Directory (I ask because you mention
"Administrator" in your email)? If not, then ignore the rest of this
message. :)

But if so, then here's some code that I use:

userdn = "cn=foo,cn=users,dc=blah,dc=org"
pw = "1337secret"

# AD requires that passwords be enclosed in quotes 
# and properly encoded
adpw = unicode('"' + pw + '"', "iso-8859-1")
adpw = adpw.encode("utf-16-le")

# conn is an established LDAP connection
conn.modify_s(userdn, [(ldap.MOD_REPLACE, "unicodePwd", adpw)])

Also, this snippet requires that your LDAP connection to the AD server
is encrypted. AD won't let you modify certain attributes over an
unencrypted connection. 

Cheers!
deepak

--
Deepak Giridharagopal

Re: Setting password

[Daniel LB <dan...@gm...>]

Yes, I am doing this with AD.
I tried what you said and the error message I got back was
WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's
because I don't use any encryption on my connection.

But, since I'm only connecting to localhost, is encryption really necessary=
?

Anyway.. could you give me an example of how you establish your
encrypted connection?

thanks

//daniel

On 5/23/05, Deepak Giridharagopal <de...@ar...> wrote:
> On Mon, 2005-05-23 at 13:06 +0200, Daniel LB wrote:
> > I have only come across the passwd(user,oldpw,newpw) function, which
> > requires the old password, but if you are logged in as Administrator
> > you should be able to *set* the users' password directly, no?
>=20
> Are you doing this with Active Directory (I ask because you mention
> "Administrator" in your email)? If not, then ignore the rest of this
> message. :)
>=20
> But if so, then here's some code that I use:
>=20
> userdn =3D "cn=3Dfoo,cn=3Dusers,dc=3Dblah,dc=3Dorg"
> pw =3D "1337secret"
>=20
> # AD requires that passwords be enclosed in quotes
> # and properly encoded
> adpw =3D unicode('"' + pw + '"', "iso-8859-1")
> adpw =3D adpw.encode("utf-16-le")
>=20
> # conn is an established LDAP connection
> conn.modify_s(userdn, [(ldap.MOD_REPLACE, "unicodePwd", adpw)])
>=20
> Also, this snippet requires that your LDAP connection to the AD server
> is encrypted. AD won't let you modify certain attributes over an
> unencrypted connection.
>=20
> Cheers!
> deepak
>=20
> --
> Deepak Giridharagopal
>=20
>

Re: Setting password

[Bjorn O. G. <bjo...@it...>]

Daniel LB:
> Yes, I am doing this with AD.
> I tried what you said and the error message I got back was
> WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's
> because I don't use any encryption on my connection.
>=20
> But, since I'm only connecting to localhost, is encryption really neces=
sary?
Depends on wether your server allows non-encrypted authentication or
not. In general, I wouldn't to non-anonumous non-encrypted
authenticaion.

> Anyway.. could you give me an example of how you establish your
> encrypted connection?

TLS:
l =3D ldap.open("localhost")
l.start_tls_s()
# Now we've got tls over port 389
l.simple_bind("someuser","secret")


SSL:
l =3D ldap.initialize("localhost") # use fqdn and/or cn in the certificat=
e here
# That's it.. we've got ldap using SSL -> Secure socket layer
l.simple_bind("someuser","secret")

--=20
Regards
=20
Bj=F8rn Ove Gr=F8tan

Re: Setting password

[Deepak G. <de...@ar...>]

On Tue, 2005-05-24 at 14:21 +0200, Daniel LB wrote:
> Yes, I am doing this with AD.
> I tried what you said and the error message I got back was
> WILL_NOT_PERFORM (Server unwilling to perform), so I'm guessing it's
> because I don't use any encryption on my connection.

Perhaps. AD has the habit of throwing the WILL_NOT_PERFORM error in all
kinds of weird situations. :)

> But, since I'm only connecting to localhost, is encryption really neces=
sary?

The short answer is "yes". :) The long answer is that this is a
restriction that AD imposes upon us:

"The password is stored in the Active Directory on a user object in the
unicodePwd attribute. This attribute can be written under restricted
conditions, but it cannot be read. The attribute can only be modified;
it cannot be added on object creation or queried by a search. In order
to modify this attribute, the client must have a 128-bit Secure Socket
Layer (SSL) connection to the server. For this connection to be
possible, the server must possess a server certificate for a 128-bit RSA
connection, the client must trust the certificate authority (CA) that
generated the server certificate, and both client and server must be
capable of 128-bit encryption."

This is from:
http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;269190

> Anyway.. could you give me an example of how you establish your
> encrypted connection?

What Bj=F8rn says is largely correct, except that with AD you have to go
through some pain to get it to do LDAP/SSL. It's much more painful than
with OpenLDAP, unfortunately (my kingdom for a simple config file!).
Here's what you do:

1) Install an "Enterprise Certificate Authority" onto your AD server.
You can do this through the Control Panel -> "Add/Remove Windows
Components"

2) You'll need to create 2 new "Automatic Certificate Requests", one for
"Computer" and one for "Domain Controller". Do this via "Domain
Controller Security Policy" -> "Computer Configuration" -> "Windows
Settings" -> "Security Settings" -> "Public Key Policies" ->
(right-click on "Automatic Certificate Request Settings) -> (choose
"New") -> (choose "Automatic Certificate Request). Do this step twice,
once to make a "Computer" cert, and once for a "Domain Controller" cert.

3) At this point, you should be able to connect via SSL (I'm not sure if
the AD server requires a reboot or not...)

4) Here's how I establish an SSL connection in Python:

import ldap

# Disable strict certificate checking, since you've made up your
# own certificate for SSL
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

# Disable OpenLDAP referral chasing, which can cause trouble with
# AD
ldap.set_option(ldap.OPT_REFERRALS, 0)

# Create the connection
conn =3D ldap.initialize("ldaps://localhost")
conn.simple_bind_s("username", "password")

Ta da!

I know it's a lot of work, but that's the only way I know of to get AD
to do LDAP/SSL. Here is a (pretty worthless) article from MSDN about it:

http://support.microsoft.com/default.aspx?scid=3Dkb;en-us;247078

Hope this helps! :)

Cheers,
deepak

--
Deepak Giridharagopal