Resetting AD passwords without SSL

[Samuel Parsons]

I'm attempting to reset AD passwords without SSL as our AD server
admin doesn't know how to enable SSL on the AD server.

The link between the machine and the AD server is secure for other
reasons and so SSL is not necessary (at least from our
server-manager's perspective).

The MS documentation does not indicate that this is possible, but
essentially in order to update passwords you need to either have SSL,
TLS, or (undocumented) set the LDAP_OPT_ENCRYPTION = 1 on the LDAP
connection. (Incidentally, LDAP_OPT_ENCRYPTION is defined as 0x96) [1]

I have one report of the undocumented option being possible in VB.NET
which seems to indicate to me that AD itself supports changing
passwords *without* SSL or TLS. It's just a matter of figuring out
exactly how VB.NET (or other .NET languages, I presume) does it. For,
I hope, obvious reasons, I'm not planning on using VB unless it's
absolutely necessary. In fact, I think it shouldn't be necessary.

However, as far as my research shows, setting the option is
unsupported in PHP [2] (language I have most experience with), Python,
and now I've come to Perl. My thinking was that if it's possible
anywhere, the Perl folks would have figured it out.

I've searched Perl documentation on setting this option and doing
non-SSL password changes and I can't seem to find any hint that this
is possible. If you know how to set this option or how to achieve it
please let me know!

[1] http://msdn.microsoft.com/en-us/library/aa367019(v=vs.85).aspx
[2] http://bugs.php.net/bug.php?id=50924

Sam

[Peter Karman]

This is how I set the password in AD:

http://search.cpan.org/~karman/Net-LDAP-Class-0.26/lib/Net/LDAP/Class/User/AD.pm#password([plain_password])

read the source for the password() method.

IIRC, SSL or TLS was not required, but binding in the initial LDAP
connection with a user with privileges to set the password via LDAP was.
I could be wrong about the SSL/TLS (it's been a few years...).

--
Peter Karman . http://peknet.com/ . pe...@peknet.com

[Dan Cutler]

Sam,

Having been in your shoes, I found that you absolutely have to have one of the security configurations mentioned to update passwords in AD via Perl (or ldapadd/ldamodify) as Peter mentioned.

Luckily I've got a great windows sysadmin who could set up that cert for me (I'm windows challenged).
Try this link http://www.linuxmail.info/enable-ldap-ssl-active-directory/ It's not the greatest article but lays out most of the initial steps towards setting up the cert.

In my case, I use LDAPS and connect with an admin type user to AD.

I typically don’t update AD directly, rather I use Net::LDAP::LDIF to generate LDIF files that I "apply" using ldapadd/ldapmodify over LDAPS from Linux.

It took me awhile to get the hang of many of the Net::LDAP libraries out there, but it paid off (plus its quite fun/interesting).

--Dan

[Justin Alcorn]

It's well documented. AD won't allow you to change a password over LDAP
389.

Enabling SSL LDAP is quite easy. Simply make one of the domain controllers
a Certificate Authority. That automatically turns on LDAPS on all DCs.
--
Justin B. Alcorn
The views expressed here are not necessarily my own, much less anyone
else's.
PGP Fingerprint A36D D691 C5B0 BE15 5A2A AF49 AA1C 372C

On Fri, May 27, 2011 at 10:07 AM, Samuel Parsons
<spar...@bemidjistate.edu>wrote:

[Al Lilianstrom]

I am doing things much the same way Dan is. Using the Net:LDAP:LDIF modules to create LDIF to update AD with via ldapadd/modify. I use Kerberos authentication so I don't have to worry about using SSL.

Microsoft has a simple guide for setting up SSL on a DC - http://support.microsoft.com/kb/321051. It's really easy. Did two DCs yesterday in an hour (including purchasing the certs). If you are doing multiple DCs and want to address the domain by the service name rather than a FQDN of a DC be sure to get the Subject Alternate Name set properly in the certificate.

al

--
Al Lilianstrom
CD/LSC/SOS/ES
lils...@fnal.gov