|Keep It Simple, Stupid|
LDAP & AD - allow user to reset passwordby 5mi11er (Deacon)
|on Mar 16, 2009 at 20:23 UTC||Need Help??|
5mi11er has asked for the
wisdom of the Perl Monks concerning the following question:
Fellow Monks, I'm hoping someone has intimate AD knowledge as I believe that is what is needed in this case.
I have working example code that changes a user's own Active Directory password.
I also have code to allow an administrator to set a user's password. This is easy, and easily found via a google search.
What I don't have working, which I do want, is LDAP code to allow a user to change their password if their "User must change password at next logon" option is set, which, from other info I've read, actually means that the pwdLastSet attribute is set to zero.
So what happens if that attribute is set to zero, is that the user is unable to bind to the AD server. If a bind by that user happens, with a correct password, you get back an error that states:
80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773and the data 773 portion points to a reason which states "user must reset password". Which is absolutely correct.
So, how then, if I am unable to bind as that user, am I supposed to change the user's password?
I know I could just bind as an admin and set the new password, but I would rather not have an administrative password within the script if I can avoid it.
I also found a "setpassword" extension for OpenLdap, but AD doesn't support that; it probably does support something very much like it, but I don't know where to start attempting to find that.
If anyone has knowledge to share, I would very much appreciate it.