Comments on: Victory! Change Active Directory Password via LDAP through browser

By: matt

matt — Wed, 02 Nov 2011 00:48:09 +0000

Thanks for this, really helped me out. For others trying to do this in python you need something like this:

c.modify_s(dn, [(ldap.MOD_DELETE, 'unicodePwd', old_password), (ldap.MOD_ADD, 'unicodePwd', new_password)])

this performs a password CHANGE. if you have bound with a user who has password RESET power you can do this:

c.modify_s(dn, [(ldap.MOD_REPLACE, 'unicodePwd', new_password)])

You need to be connected using SSL (via port 636) and since most AD servers appear to use selfsigned certs you will have to either add the cert to your tool chain or do something like this:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
ldap.set_option(ldap.OPT_REFERRALS, 0)
(not sure what the second line is for).

Oh, one last thing, to make those passwords use this:
new_password = unicode(“\”" + ‘secret’ + “\”", “iso-8859-1″).encode(“utf-16-le”)

By: jquest07

jquest07 — Wed, 05 Oct 2011 22:18:12 +0000

First of all, thanks for this great information.

I’m trying to do this on Red Hat 6 and found that Unicode::String is not available. After looking into what it would take to install this module I found that perl has encoding capability built in that will do the trick. Here’s the code to do the encoding I was able to get to work:

use Encode qw(encode decode);
my $oldUniPW = encode(“UTF-16LE”,’”‘.$oldpw.’”‘);
my $newUniPW = encode(“UTF-16LE”,’”‘.$newpw.’”‘);

By: evan

evan — Wed, 16 Feb 2011 01:36:25 +0000

A working .htaccess with LDAP auth is here:

http://www.evanhoffman.com/evan/?p=298

Evan

By: Pablo

Pablo — Fri, 11 Feb 2011 19:50:42 +0000

Thank you very much! I think it would be convenient to include a link for the .htaccess LDAP authentication such as this one: http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html#LDAP

By: risha

risha — Thu, 27 Jan 2011 13:17:08 +0000

Hi Ivan,
can u advise me how to call this perl script through php.I gues si can use passthrough but i ness to pass parameters like basedn,userid,pwd etch.
Kindly advise

By: Sergio

Sergio — Wed, 19 Jan 2011 08:06:30 +0000

Hi Evan,

I need your script, becouse I have linux machine integrated with Active Directory (ldap only, not kerberos) and need change user password, but I don’t know to check your script, I don’t know perl and php. Can you said me that steps (conceptual) I have to check it?

A lot of thanks

P.D: Sorry for my English

By: evan

evan — Tue, 30 Mar 2010 18:54:53 +0000

Actually, I tried a bunch of different things and some of them worked “halfway.” I sent raw LDIF records directly to the AD server and that worked, so I assumed there had to be some way to do it via code, even if it came down to opening a raw socket. The Perl script I have in use does work though, with the “modify” command. I think as long as the delete/add takes place in a single transaction (and you provide the old password) it does work. The problem with PHP, iirc, was that it implemented the delete/add as two separate operations.

By: Jason Fried

Jason Fried — Tue, 30 Mar 2010 18:05:33 +0000

Instead of using charmap. you can convert the password to UTF16 Little Endian in a simple fashion using just Unicode::String

my $UTF16pass = Unicode::String::utf8(“\”$password\”")->utf16le();

Which makes more sense than byte swap.

Does the modify method work for password reset?
I found that i had to use an admin account with replace to get it to work. And most sites I saw said the modify method was broken with Active Directory.