Changing Passwords in Active Directory with ruby-net-ldap

336 views
Skip to first unread message

Justin Grudzien

unread,
Apr 21, 2009, 12:40:42 PM4/21/09
to rubyonra...@googlegroups.com
I am building an application in Rails using ruby-net-ldap and I am
trying to figure out how to change passwords in Active Directory. Does
anyone have any experience with this using the ruby-net-ldap gem? I know
that I remember seeing an example on the web somewhere that showed how
to do this using the depot application from the Rails book but for the
life of me I can't find it again. :( Any help would be greatly
appreciated.
--
Posted via http://www.ruby-forum.com/.

Jeff Lewis

unread,
Apr 22, 2009, 12:25:13 PM4/22/09
to Ruby on Rails: Talk
Try replace_attribute:
http://net-ldap.rubyforge.org/rdoc/classes/Net/LDAP.html#M000030

from rdoc example for updating mail attribute:

dn = "cn=modifyme,dc=example,dc=com"
ldap.replace_attribute dn, :mail, "newmail...@example.com"

I haven't worked with Active Directory specifically, so might be
quirks regarding updating password (pre-digested/-encoded first,
or ...?) . Best to have other means of re-setting password while
testing what works.

Jeff

On Apr 21, 9:40 am, Justin Grudzien <rails-mailing-l...@andreas-s.net>
wrote:

Sandro Duarte

unread,
Sep 3, 2009, 2:40:37 PM9/3/09
to rubyonra...@googlegroups.com
Justin,

Have you had any luck about this?

I'm having the same problem here...

TIA,

Sandro

Justin Grudzien

unread,
Sep 3, 2009, 5:34:05 PM9/3/09
to rubyonra...@googlegroups.com

I did figure it out.

My explanation is as follows:

Convert your OLD and NEW passwords into some goofy kind of unicode.
Create a two element array (1. delete old password element, 2. Add new
password element) that modifies the unicodePwd attribute (represented as
:unicodePwd). Run an ldap modify on the proper dn for the user passing
it both operations from the array (if you need to know how to get the
user dn let me know but there are lots of examples out there.). If it
succeeds it will update the password!


def self.ct2uni(cleartextpwd)
quotepwd = '"' + cleartextpwd + '"'
unicodepwd = Iconv.iconv('UTF-16LE', 'UTF-8', quotepwd).first
return unicodepwd
end

oldUniPW = ct2uni( opassword )
newUniPW = ct2uni( newpass )

ops = [
[ :delete, :unicodePwd, [oldUniPW] ],
[ :add, :unicodePwd, [newUniPW] ]
]

unless( ldap_con.modify :dn => dn, :operations => ops )
ret[ :status ] = false
ret[ :message ] = "bad:!:Error changing password for user #{login}."
return( ret )
end

Justin

Sandro Duarte

unread,
Sep 3, 2009, 6:12:52 PM9/3/09
to rubyonra...@googlegroups.com
Thanks...

That did the trick.

Actually I used this code:

def microsoft_encode_password(pwd)
ret = ""
pwd = "\"" + pwd + "\""
pwd.length.times{|i| ret+= "#{pwd[i..i]}\000" }
ret
end

so you don't need the Iconv dependency.

Thanks again,

Sandro

Reply all
Reply to author
Forward
0 new messages