LDAP & AD - allow user to reset password

5mi11er has asked for the wisdom of the Perl Monks concerning the following question:

Fellow Monks, I'm hoping someone has intimate AD knowledge as I believe that is what is needed in this case.

I have working example code that changes a user's own Active Directory password.

use strict;
use warnings;
use Net::LDAP;
use Unicode::Map8;
use Unicode::String qw(utf16);

my $password = "Abc123Xyz";
my $newpass = 'N0tS0S1mple';
my $cn = 'Test User';

my $baseDN = "CN=Users,DC=company,DC=com";
my $ldap = Net::LDAP->new( 'ldaps://adserver.company.com' ) or die "co
+uldn't talk to ldap server\n";
my $mesg = $ldap->bind( "cn=$cn, $baseDN", password => $password);
print $mesg->error."\n" if ($mesg->code);

my $charmap = Unicode::Map8->new('latin1')  or  die;
my $oldUniPW = $charmap->tou('"'.$password.'"')->byteswap()->utf16();
my $newUniPW = $charmap->tou('"'.$newpass.'"')->byteswap()->utf16();


my $mesg = $ldap->modify("cn=$cn,$baseDN",
    changes => [
        delete => [ unicodePwd => $oldUniPW ],
        add    => [ unicodePwd => $newUniPW ]
    ]);

die("Unable to reset Active Directory password: ".$mesg->error) if ($m
+esg->error ne "Success");
[download]

I also have code to allow an administrator to set a user's password. This is easy, and easily found via a google search.

What I don't have working, which I do want, is LDAP code to allow a user to change their password if their "User must change password at next logon" option is set, which, from other info I've read, actually means that the pwdLastSet attribute is set to zero.

So what happens if that attribute is set to zero, is that the user is unable to bind to the AD server. If a bind by that user happens, with a correct password, you get back an error that states:

80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 773

and the data 773 portion points to a reason which states "user must reset password". Which is absolutely correct.

So, how then, if I am unable to bind as that user, am I supposed to change the user's password?

I know I could just bind as an admin and set the new password, but I would rather not have an administrative password within the script if I can avoid it.

I also found a "setpassword" extension for OpenLdap, but AD doesn't support that; it probably does support something very much like it, but I don't know where to start attempting to find that.

If anyone has knowledge to share, I would very much appreciate it.

-Scott

Comment on LDAP & AD - allow user to reset password Download Code

Replies are listed 'Best First'.
Re: LDAP & AD - allow user to reset password by ig (Vicar) on Mar 17, 2009 at 01:04 UTC
I don't know the details of how it's done but ssh/PAM/Kerberos authentication against AD can be set up to handle password reset on logon from linux. All the linux side code is available, so you can review it to find out how they are doing it.	[reply]
Re^2: LDAP & AD - allow user to reset password by 5mi11er (Deacon) on Mar 20, 2009 at 22:03 UTC
Ok, I've managed to figure out that you MUST use Kerberos to change an expired AD account. So, I looked at most of the Kerberos perl libraries, but from what I can tell, none of them offer the ability to change a Kerberos password? I'm new enough to kerberos, I could be over looking something... So, new question, how does one change a Kerberos password within Perl? -Scott Update: I re-asked this question as a new SOPW post: Change a user's Kerberos Password? I actually got a good answer, and posted an answer I got through email.	[reply]
Re: LDAP & AD - allow user to reset password by 5mi11er (Deacon) on Jul 08, 2009 at 20:18 UTC
At long last, I've completed and released my password changing website project. Check it out at http://locksmith.sourceforge.net.	[reply]

Back to Seekers of Perl Wisdom

Update: