发表新帖
发表新帖

Update Active Directory Password using ldap python

前端 未结
关注
3 1727
你的背包
你的背包 2020-12-22 06:33

Basically trying to reset the user\'s password using LDAP python. I\'ve gone through various posts here but no luck :(.

Tried using :

  • a) mo

相关标签:
3条回答
  • 孤独总比滥情好
    2020-12-22 07:19

    I had the very same issue and decided to ask on Server Fault. The answer I got helped me to figure out what was wrong in my code. To summarize, there is 2 diifferent methods to update an AD password: 1 for regular user updating his own password, and another 1 for administrator (or any account with sufficient access rights) resetting the password for another user.

    Method 1: User update his own password

    ad_server = "ldaps://ad.xxx_domain.com"
ad_dn = "CN={0},OU=Users,OU=AF,DC=xxx_domain,DC=com"

username = 'my_username'
old_pwd = 'the_old_pa55word'
new_pwd = 'the_new_pa55word'

cert = os.path.join('/path', "to", 'server_cert.cer')

# LDAP connection initialization
l = ldap.initialize(ad_server)
# Set LDAP protocol version used
l.protocol_version = ldap.VERSION3
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
# Force libldap to create a new SSL context (must be last TLS option!)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

# Bind
l.simple_bind_s(ad_dn.format(username), old_pwd)

# Now, perform the password update
oldpwd_utf16 = '"{0}"'.format(old_pwd).encode('utf-16-le')
newpwd_utf16 = '"{0}"'.format(new_pwd).encode('utf-16-le')
mod_list = [
    (ldap.MOD_DELETE, "unicodePwd", oldpwd_utf16),
    (ldap.MOD_ADD, "unicodePwd", newpwd_utf16),
]
l.modify_s(ad_dn.format(username), mod_list)

    Method 2: Admin account update regular user's password

    ad_server = "ldaps://ad.xxx_domain.com"
ad_dn = "CN={0},OU=Users,OU=AF,DC=xxx_domain,DC=com"

admin_username = "i_am_the_admin"
admin_password = "admin123"

username = 'my_username'
new_pwd = 'the_new_complicated_password'

cert = os.path.join('/path', "to", 'server_cert.cer')

# LDAP connection initialization
l = ldap.initialize(ad_server)
# Set LDAP protocol version used
l.protocol_version = ldap.VERSION3
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
# Force libldap to create a new SSL context (must be last TLS option!)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

# Bind (as admin user)
l.simple_bind_s(ad_dn.format(admin_username), admin_password)

# Now, perform the password update
newpwd_utf16 = '"{0}"'.format(new_pwd).encode('utf-16-le')
mod_list = [
    (ldap.MOD_REPLACE, "unicodePwd", newpwd_utf16),
]
l.modify_s(ad_dn.format(username), mod_list)

    Please note that the second method needs to Bind with a different account (with sufficient rights) but allows to set the new password without re-typing the old one.

    0 讨论(0)
  • 夕颜
    2020-12-22 07:29

    From what I can see is that you user_dn is not correctly set. Double check and ensure you full DN actually exists in the Directory Server. Check your username variable is correctly parsed (No newline or tab characters) and the Base DN is verified. 

    sys.stderr.write('Error setting AD password for: ' + username + '\n')
sys.stderr.write('DN: ' + user_dn + '\n')
sys.stderr.write('Message: ' + str(e) + '\n')

    The error message is pretty clear that AD cannot find the object (DN) it wishes to modify **(NO_OBJECT) 

    {'info': "0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), 
data 0, best match of:\n\t'DC=mydomain,DC=com'\n", 'matched': 
'DC=mydomain,DC=com', 'desc': 'No such object'}
    0 讨论(0)
  • 悲&欢浪女
    2020-12-22 07:30

    I think below program helpful for you.. windows active directory use password attribute as unicode method https://technet.microsoft.com/en-us/magazine/ff848710.aspx

    import ldap
import ldap.modlist as modlist
import base64
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l = ldap.initialize('ldaps://exam.local')
l.simple_bind_s('Administrator@exam.local', 'p@ssw0rd1') 
dn="cn=map6,ou=Police,dc=exam,dc=local" 
new_password='p@ssw0rd3'
unicode_pass = unicode('\"' + new_password + '\"', 'iso-8859-1')
print (unicode_pass)
password_value = unicode_pass.encode('utf-16-le')
add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
print (password_value)
l.modify_s(dn, add_pass)
l.modify_s(dn, add_pass)
l.unbind_s()
    0 讨论(0)
 看不清?
提交回复
热议问题