Setting Passwords in Active Directory with Perl

So there is no way to change or set passwords in active directory with Perl from a Linux server without NET:LDAPS and the whole deal described here http://support.microsoft.com/kb/321051 ?
LVL 2
itniflAsked:
Who is Participating?
 
jwillekeCommented:
Of course you can.

There are two situation for password modifications:
1 - Change the password - Where an entry is changing their own password
2 - Set the password - When an entry with proper rights is setting the password.

Active Directory has a restriction that password modification MUST be performed on a LDAPS connection of not less than 128 BIT.

Shown is a Perl code fragment that can be used to "Set the password" (Taken from http://www.letu.edu/people/markroedel/netcccu/activedirectorypasswordchanges.htm)

-jim
sub set_password($,$) {
   my ($username, $password) = @_;
   my ($Ad_write, $Ad_read, $mesg, $npass, $dn, $rtn);

   if (($username eq '') or ($password eq '')) {
      print "Uid and/or password missing in input\n";
      return 0;
   }

   # Bind to the AD server

   $Ad_write = Net::LDAPS->new("activedirectoryserver.hostname", version => 3) or print "Unable to connect to account database server (writer)\n", return 0;
   $Ad_read = Net::LDAPS->new("activedirectoryserver.hostname", version => 3) or print "Unable to connect to account database server (reader)\n", return 0;
   $Ad_write->bind(dn => "<ldap bind dn>", password => "<ldap bind password>") or print "Unable to bind to account database server (writer)\n", return 0;
   $Ad_read->bind(dn => "<ldap bind dn>", password => "<ldap bind password>") or print "Unable to bind to account database server (reader)\n", return 0;

   # Do a AD lookup to get the dn for this user
   # then change their password.

   $mesg = $Ad_read->search(base => "ou=accounts, dc=letnet, dc=net", filter => "cn=$username");
   if($mesg->count != 1) {
      print "Didn't find a valid account for user $username\n";
      print $mesg->count . "\n";
      return 0;
   }

   # Add quotes and uniCode
   map { $npass .= "$_\000" } split(//, "\"$password\"");

   # Now change it
   $dn = $mesg->entry(0)->dn;

   $rtn = $Ad_write->modify($dn, replace => { "unicodePwd" => $npass });
   if($rtn->{'resultCode'} != 0) {
      print "User $username, setting password failed: " . $rtn->{'resultCode'} . "\n";
      return 0;
   }

   print p, "Password for $username successfully changed.";

   return 1
}

Open in new window

0
 
Bryan ButlerCommented:
Not in Perl.  You could call another program to do it, but then that wouldn't be using perl.
0
 
itniflAuthor Commented:
But to establish an LDAPS connection you don't need certificates, private/public keys and such?
I don't see that specified in the code. Offcourse I can try the code, but I thought this was needed for a encrypted communication to be established.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
jwillekeCommented:
The code is a fragment to show how to change the password.

The setting up of NET:LDAPS is pretty well documented at:http://search.cpan.org/~gbarr/perl-ldap-0.4001/lib/Net/LDAPS.pm

Most of the the issues with NET:LDAPS are usually surrounding the use of IO::Socket::SSL which is relies on Net::SSLeay which uses a global object to access some of the API of openssl which must be present on the platform you are using.
The good news, usually Linux is the easiest as Linux almost always has openssl installed.

LDAPS is enabled by default on AD.

And by default, when building a Net::LDAPS connection object, the SSL session will be constructed without verification of the certificate used to encrypt the session.
For how to enable verification see: http://ldapwiki.willeke.com/wiki/Perl%20LDAPS%20and%20Certificates

-jim



0
 
Bryan ButlerCommented:
I was definitely wrong on that one.  Thanks Jim.  Also here is some doc on it:
http://search.cpan.org/~GBARR/perl-ldap/lib/Net/LDAP/FAQ.pod
0
 
itniflAuthor Commented:
failed Transport endpoint is not connected at /usr/lib/cgi-bin/createUser.cgi line 41.

Didn't work for me. I guess I need to set up those certificates.
0
 
itniflAuthor Commented:
I guess you are right. I don't need to setup any keys or certs where the scripts are run, as long as I follow this guide for the server: http://support.microsoft.com/kb/321051 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.