Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling

LDAP & AD - allow user to reset password

by 5mi11er (Deacon)
on Mar 16, 2009 at 20:23 UTC ( #751018=perlquestion: print w/replies, xml ) Need Help??
5mi11er has asked for the wisdom of the Perl Monks concerning the following question:

Fellow Monks, I'm hoping someone has intimate AD knowledge as I believe that is what is needed in this case.

I have working example code that changes a user's own Active Directory password.

use strict; use warnings; use Net::LDAP; use Unicode::Map8; use Unicode::String qw(utf16); my $password = "Abc123Xyz"; my $newpass = 'N0tS0S1mple'; my $cn = 'Test User'; my $baseDN = "CN=Users,DC=company,DC=com"; my $ldap = Net::LDAP->new( 'ldaps://' ) or die "co +uldn't talk to ldap server\n"; my $mesg = $ldap->bind( "cn=$cn, $baseDN", password => $password); print $mesg->error."\n" if ($mesg->code); my $charmap = Unicode::Map8->new('latin1') or die; my $oldUniPW = $charmap->tou('"'.$password.'"')->byteswap()->utf16(); my $newUniPW = $charmap->tou('"'.$newpass.'"')->byteswap()->utf16(); my $mesg = $ldap->modify("cn=$cn,$baseDN", changes => [ delete => [ unicodePwd => $oldUniPW ], add => [ unicodePwd => $newUniPW ] ]); die("Unable to reset Active Directory password: ".$mesg->error) if ($m +esg->error ne "Success");
I also have code to allow an administrator to set a user's password. This is easy, and easily found via a google search.

What I don't have working, which I do want, is LDAP code to allow a user to change their password if their "User must change password at next logon" option is set, which, from other info I've read, actually means that the pwdLastSet attribute is set to zero.

So what happens if that attribute is set to zero, is that the user is unable to bind to the AD server. If a bind by that user happens, with a correct password, you get back an error that states:

80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773
and the data 773 portion points to a reason which states "user must reset password". Which is absolutely correct.

So, how then, if I am unable to bind as that user, am I supposed to change the user's password?

I know I could just bind as an admin and set the new password, but I would rather not have an administrative password within the script if I can avoid it.

I also found a "setpassword" extension for OpenLdap, but AD doesn't support that; it probably does support something very much like it, but I don't know where to start attempting to find that.

If anyone has knowledge to share, I would very much appreciate it.


Replies are listed 'Best First'.
Re: LDAP & AD - allow user to reset password
by ig (Vicar) on Mar 17, 2009 at 01:04 UTC

    I don't know the details of how it's done but ssh/PAM/Kerberos authentication against AD can be set up to handle password reset on logon from linux. All the linux side code is available, so you can review it to find out how they are doing it.


      I've managed to figure out that you MUST use Kerberos to change an expired AD account. So, I looked at most of the Kerberos perl libraries, but from what I can tell, none of them offer the ability to change a Kerberos password? I'm new enough to kerberos, I could be over looking something...

      So, new question, how does one change a Kerberos password within Perl?



      I re-asked this question as a new SOPW post: Change a user's Kerberos Password?
      I actually got a good answer, and posted an answer I got through email.
Re: LDAP & AD - allow user to reset password
by 5mi11er (Deacon) on Jul 08, 2009 at 20:18 UTC

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://751018]
Approved by Corion
and all is quiet...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (5)
As of 2018-05-23 17:31 GMT
Find Nodes?
    Voting Booth?