Setting Passwords in Active Directory with Perl

So there is no way to change or set passwords in active directory with Perl from a Linux server without NET:LDAPS and the whole deal described here http://support.microsoft.com/kb/321051 ?
LVL 2
itniflAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Bryan ButlerCommented:
Not in Perl.  You could call another program to do it, but then that wouldn't be using perl.
0
jwillekeCommented:
Of course you can.

There are two situation for password modifications:
1 - Change the password - Where an entry is changing their own password
2 - Set the password - When an entry with proper rights is setting the password.

Active Directory has a restriction that password modification MUST be performed on a LDAPS connection of not less than 128 BIT.

Shown is a Perl code fragment that can be used to "Set the password" (Taken from http://www.letu.edu/people/markroedel/netcccu/activedirectorypasswordchanges.htm)

-jim
sub set_password($,$) {
   my ($username, $password) = @_;
   my ($Ad_write, $Ad_read, $mesg, $npass, $dn, $rtn);

   if (($username eq '') or ($password eq '')) {
      print "Uid and/or password missing in input\n";
      return 0;
   }

   # Bind to the AD server

   $Ad_write = Net::LDAPS->new("activedirectoryserver.hostname", version => 3) or print "Unable to connect to account database server (writer)\n", return 0;
   $Ad_read = Net::LDAPS->new("activedirectoryserver.hostname", version => 3) or print "Unable to connect to account database server (reader)\n", return 0;
   $Ad_write->bind(dn => "<ldap bind dn>", password => "<ldap bind password>") or print "Unable to bind to account database server (writer)\n", return 0;
   $Ad_read->bind(dn => "<ldap bind dn>", password => "<ldap bind password>") or print "Unable to bind to account database server (reader)\n", return 0;

   # Do a AD lookup to get the dn for this user
   # then change their password.

   $mesg = $Ad_read->search(base => "ou=accounts, dc=letnet, dc=net", filter => "cn=$username");
   if($mesg->count != 1) {
      print "Didn't find a valid account for user $username\n";
      print $mesg->count . "\n";
      return 0;
   }

   # Add quotes and uniCode
   map { $npass .= "$_\000" } split(//, "\"$password\"");

   # Now change it
   $dn = $mesg->entry(0)->dn;

   $rtn = $Ad_write->modify($dn, replace => { "unicodePwd" => $npass });
   if($rtn->{'resultCode'} != 0) {
      print "User $username, setting password failed: " . $rtn->{'resultCode'} . "\n";
      return 0;
   }

   print p, "Password for $username successfully changed.";

   return 1
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
itniflAuthor Commented:
But to establish an LDAPS connection you don't need certificates, private/public keys and such?
I don't see that specified in the code. Offcourse I can try the code, but I thought this was needed for a encrypted communication to be established.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

jwillekeCommented:
The code is a fragment to show how to change the password.

The setting up of NET:LDAPS is pretty well documented at:http://search.cpan.org/~gbarr/perl-ldap-0.4001/lib/Net/LDAPS.pm

Most of the the issues with NET:LDAPS are usually surrounding the use of IO::Socket::SSL which is relies on Net::SSLeay which uses a global object to access some of the API of openssl which must be present on the platform you are using.
The good news, usually Linux is the easiest as Linux almost always has openssl installed.

LDAPS is enabled by default on AD.

And by default, when building a Net::LDAPS connection object, the SSL session will be constructed without verification of the certificate used to encrypt the session.
For how to enable verification see: http://ldapwiki.willeke.com/wiki/Perl%20LDAPS%20and%20Certificates

-jim



0
Bryan ButlerCommented:
I was definitely wrong on that one.  Thanks Jim.  Also here is some doc on it:
http://search.cpan.org/~GBARR/perl-ldap/lib/Net/LDAP/FAQ.pod
0
itniflAuthor Commented:
failed Transport endpoint is not connected at /usr/lib/cgi-bin/createUser.cgi line 41.

Didn't work for me. I guess I need to set up those certificates.
0
itniflAuthor Commented:
I guess you are right. I don't need to setup any keys or certs where the scripts are run, as long as I follow this guide for the server: http://support.microsoft.com/kb/321051 
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.