Differences between version 3 and predecessor to the previous major change of ActiveDirectoryAuthenticationNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Friday, May 2, 2003 1:41:19 pm | by GreigMcGill | Revert |
| Older page: | version 2 | Last edited on Monday, March 17, 2003 6:40:19 pm | by PerryLorier | Revert |
@@ -63,4 +63,74 @@
This prevents the error above from occuring, and now only authorised people can login.
There is a nasty security flaw in mod_ldap that while that error is appearing in your logs you can login as __''any''__ user (even if that user doesn't exist). This is because when that error occurs mod_ldap fails and returns 0. However 0 turns out to be "success" instead of "failure". Ooops!
+
+----
+!!Changing passwords
+
+The following was posted to the NT BugTraq list (don't ask), and I thought it may be appropriate.
+
+Here is the code I use to change a password in Active Directory. It
+uses the perl-ldap module from http://perl-ldap.sourceforge.net/
+
+It is part of a bigger program that we use to synchronize our LDAP to
+Active Directory. (one way synchronization from LDAP to AD, except
+for passwords which are two-way) I have reduced it down to a simple
+command line program that reads name & password from stdin. It does a
+very simplistic unicode conversion that will fail for non-ascii
+characters. Feel free to use it for whatever you like.
+
+Example:
+
+% chg_passwd.pl
+jim supersecret
+
+Code:
+
+\#!/usr/local/bin/perl -w
+
+use strict;
+use Net::LDAPS;
+
+my($Ad, $mesg, $uid, $pass, $npass, $dn, $rtn);
+
+($uid, $pass) = split(" ",<STDIN>);
+
+if (($uid eq '') or ($pass eq '')) {
+ print "Uid and/or password missing in input\n";
+ exit 1;
+}
+
+print "Trying to set $uid to password $pass\n";
+
+# Bind to the AD server
+
+$Ad = Net::LDAPS->new("dc.test.uva.nl", version =3)
+ or print "Unable to connect to AD server\n", exit 2;
+$Ad->bind(dn ="CN=ad,OU=Admin,DC=test,DC=uva,DC=nl", password =>
+"gandalf")
+ or print "Unable to bind to AD server\n", exit 2;
+
+# Do a AD lookup to get the dn for this user
+# then change their password.
+
+$mesg = $Ad->search(base ="DC=s-res,DC=uva,DC=nl", filter ="cn=$uid");
+if($mesg->count != 1) {
+ print "AD lookup failed for user $uid\n";
+ exit 3;
+}
+
+# Add quotes and uniCode
+map { $npass .= "$_\000" } split(//, "\"$pass\"");
+
+# Now change it
+$dn = $mesg->entry(0)->dn;
+
+$rtn = $Ad->modify($dn, replace ={ "unicodePwd" =$npass });
+if($rtn->{'resultCode'} != 0) {
+ print "User $uid, setting password failed\n";
+ exit 2;
+}
+
+print "Password for $uid changed in AD\n";
+exit 0;
