Fellow Monks, I'm hoping someone has intimate AD knowledge as I believe that is what is needed in this case.

I have working example code that changes a user's own Active Directory password.

use strict;
use warnings;
use Net::LDAP;
use Unicode::Map8;
use Unicode::String qw(utf16);

my $password = "Abc123Xyz";
my $newpass = 'N0tS0S1mple';
my $cn = 'Test User';

my $baseDN = "CN=Users,DC=company,DC=com";
my $ldap = Net::LDAP->new( 'ldaps://adserver.company.com' ) or die "co
+uldn't talk to ldap server\n";
my $mesg = $ldap->bind( "cn=$cn, $baseDN", password => $password);
print $mesg->error."\n" if ($mesg->code);

my $charmap = Unicode::Map8->new('latin1')  or  die;
my $oldUniPW = $charmap->tou('"'.$password.'"')->byteswap()->utf16();
my $newUniPW = $charmap->tou('"'.$newpass.'"')->byteswap()->utf16();


my $mesg = $ldap->modify("cn=$cn,$baseDN",
    changes => [
        delete => [ unicodePwd => $oldUniPW ],
        add    => [ unicodePwd => $newUniPW ]
    ]);

die("Unable to reset Active Directory password: ".$mesg->error) if ($m
+esg->error ne "Success");
[download]

I also have code to allow an administrator to set a user's password. This is easy, and easily found via a google search.

What I don't have working, which I do want, is LDAP code to allow a user to change their password if their "User must change password at next logon" option is set, which, from other info I've read, actually means that the pwdLastSet attribute is set to zero.

So what happens if that attribute is set to zero, is that the user is unable to bind to the AD server. If a bind by that user happens, with a correct password, you get back an error that states:

80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773

and the data 773 portion points to a reason which states "user must reset password". Which is absolutely correct.

So, how then, if I am unable to bind as that user, am I supposed to change the user's password?

I know I could just bind as an admin and set the new password, but I would rather not have an administrative password within the script if I can avoid it.

I also found a "setpassword" extension for OpenLdap, but AD doesn't support that; it probably does support something very much like it, but I don't know where to start attempting to find that.

If anyone has knowledge to share, I would very much appreciate it.

-Scott

---

---

• Are you posting in the right place? Check out Where do I post X? to know for sure.
• Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:

  <code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>

• Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
• Want more info? How to link or How to display code and escape characters are good places to start.