Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can't change passwd in AD 2008 R2

126 views
Skip to first unread message

Prentice Bisbal

unread,
Apr 28, 2011, 3:07:20 PM4/28/11
to perl...@perl.org
We recently updated our Active Directory servers to 2008 R2. I had a
perl script that would change a users password in OpenLDAP and Active
Directory at the same time. This was working fine until the update. I
can still change a user's password when I bind as an AD administrator,
but not as a normal user. Has anyone else here gone through this?

I know the that behavior or replacing a password is different whether
you are an administrator or regular user changing your own password, as
documented here:

http://support.microsoft.com/?kbid=269190

I wrote this code based on the above link:

# AD doesn't allow non-admin users to replace their password.
# Instead, it must be deleted and re-added. Administrators can only
# replace a password.
if ($username ne getlogin()) {
$mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
$newUnicodePwd} );
} else {
$mesg = $ad->modify($ad_user_dn, delete=>{unicodePwd =>
$newUnicodePwd});
$code = $mesg->code;
if ($code != 0) {
$mesg = $ad->modify($ad_user_dn, replace=>{unicodePwd =>
$newUnicodePwd} );
}
}

This worked for just fine until the upgrade to 2008 R2. Any ideas?

--
Prentice

Prentice Bisbal

unread,
Apr 28, 2011, 4:10:53 PM4/28/11
to perl...@perl.org
Also, this works when I do the password change as the AD admin, but not
as a normal user, so I think it's either a permission problem on the AD
server, or MS changed the method of changing the password for non-admins
("self").

On 04/28/2011 04:00 PM, Dan Cutler wrote:
> Prentice,
>
> Try using LDAPS. The setup for this isn't terribly easy but once you've got the keys in place, AD seems more friendly.
>
> From my understanding AD will only let you make "security related" changes over secured (encrypted) connections (-Z) switch below...
>
> ie: ldapmodify -c -x -D "CN=ldap Admin,OU=ServiceAccounts,DC=mycompany,DC=com" -w 'supersecretpw' -f new_users_pw.ldif -H ldaps://dc01.mycompany.com -Z
>
> I typically write perl code to create LDIF files, then use "ldappmodify" with wire encryption.
>
> If I don't use encryption, AD rejects all security related changes.
>
> Hope that helps.
>
> --Dan

Prentice Bisbal

unread,
Apr 28, 2011, 4:07:37 PM4/28/11
to perl...@perl.org
I am using LDAPS:

$ad = Net::LDAP->new(\@ad_servers,
onerror=> 'warn',
scheme => 'ldaps',
verify => 'require',
cafile => $tls_cacertfile,
) || die 'Couldn\'t connect to Active Directory server';

I should have specified that earlier. As far as I know, that's the same
as using

$ad = Net::LDAPS->new(...)

As you mentioned, LDAP/TLS or LDAP/SSL is a requirement for password
changes on AD, even with our previous AD servers. So, if I didn't use
it, my program wouldn't have worked with the earlier AD servers, either.

Prentice


On 04/28/2011 04:00 PM, Dan Cutler wrote:
> Prentice,
>
> Try using LDAPS. The setup for this isn't terribly easy but once you've got the keys in place, AD seems more friendly.
>
> From my understanding AD will only let you make "security related" changes over secured (encrypted) connections (-Z) switch below...
>
> ie: ldapmodify -c -x -D "CN=ldap Admin,OU=ServiceAccounts,DC=mycompany,DC=com" -w 'supersecretpw' -f new_users_pw.ldif -H ldaps://dc01.mycompany.com -Z
>
> I typically write perl code to create LDIF files, then use "ldappmodify" with wire encryption.
>
> If I don't use encryption, AD rejects all security related changes.
>
> Hope that helps.
>
> --Dan
>
> -----Original Message-----
> From: Prentice Bisbal [mailto:pren...@ias.edu]
> Sent: Thursday, April 28, 2011 3:07 PM
> To: perl...@perl.org
> Subject: Can't change passwd in AD 2008 R2
>

Dan Cutler

unread,
Apr 28, 2011, 4:00:59 PM4/28/11
to Prentice Bisbal, perl...@perl.org
Prentice,

Try using LDAPS. The setup for this isn't terribly easy but once you've got the keys in place, AD seems more friendly.

From my understanding AD will only let you make "security related" changes over secured (encrypted) connections (-Z) switch below...

ie: ldapmodify -c -x -D "CN=ldap Admin,OU=ServiceAccounts,DC=mycompany,DC=com" -w 'supersecretpw' -f new_users_pw.ldif -H ldaps://dc01.mycompany.com -Z

I typically write perl code to create LDIF files, then use "ldappmodify" with wire encryption.

If I don't use encryption, AD rejects all security related changes.

Hope that helps.

--Dan

-----Original Message-----
From: Prentice Bisbal [mailto:pren...@ias.edu]
Sent: Thursday, April 28, 2011 3:07 PM
To: perl...@perl.org
Subject: Can't change passwd in AD 2008 R2

Buchan Milne

unread,
May 5, 2011, 6:06:27 AM5/5/11
to perl...@perl.org, Prentice Bisbal

You should probably:
warn $mesg->error if $mesg->code;
here.
> }
> }

> This worked for just fine until the upgrade to 2008 R2. Any ideas?

Well, maybe the LDAP server told you, but you have to listen ...

Regards,
Buchan

0 new messages