Differences between version 6 and predecessor to the previous major change of ActiveDirectoryAuthenticationNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 6 | Last edited on Sunday, August 10, 2003 1:04:57 pm | by AristotlePagaltzis | Revert |
| Older page: | version 2 | Last edited on Monday, March 17, 2003 6:40:19 pm | by PerryLorier | Revert |
@@ -17,10 +17,10 @@
<Directory ''/var/www/staff''>
AuthLDAPURL ldap://''ads.example.com'':389/OU=Users,OU=Teachers,DC=example,DC=com?sAMAccountName?sub?(objectClass=user)
AuthLDAPBindDN cn=''user'',cn=Users,dc=example,dc=com
AuthLDAPBindPassword ''password-here''
- AuthType Basic
- AuthName "''Mumble School Intranet''"
+ !
AuthType Basic
+ !
AuthName "''Mumble School Intranet''"
require valid-user
</Directory>
/var/www/staff should be the path that you want to secure.
@@ -57,10 +57,80 @@
----
!!Round Two!
Going back to this, we found a problem. This appeared in apache's error log:
- [Mon Mar 17 16:36:07 2003] [error] [client 210.54.31.4] Too many failures connecting to LDAP server
+ [
[Mon Mar 17 16:36:07 2003] [
[error] [
[client 210.54.31.4] Too many failures connecting to LDAP server
This is caused by mod_ldap trying to use [LDAP] v2. This appears to cause some (unspecified) problems with Active Directory. So I found a patch by Jeff Costlow (j.costlow at f5.com) (may whatever deity he worships provide him with many years of good health and fortune) which allows you to force [LDAP] version 3.
This prevents the error above from occuring, and now only authorised people can login.
There is a nasty security flaw in mod_ldap that while that error is appearing in your logs you can login as __''any''__ user (even if that user doesn't exist). This is because when that error occurs mod_ldap fails and returns 0. However 0 turns out to be "success" instead of "failure". Ooops!
+
+----
+!!Changing passwords
+
+The following was posted to the NT BugTraq list (don't ask), and I thought it may be appropriate.
+
+Here is the code I use to change a password in Active Directory. It
+uses the perl-ldap module from http://perl-ldap.sourceforge.net/
+
+It is part of a bigger program that we use to synchronize our LDAP to
+Active Directory. (one way synchronization from LDAP to AD, except
+for passwords which are two-way) I have reduced it down to a simple
+command line program that reads name & password from stdin. It does a
+very simplistic unicode conversion that will fail for non-ascii
+characters. Feel free to use it for whatever you like.
+
+Example:
+
+ % chg_passwd.pl
+ jim supersecret
+
+Code:
+
+ #!/usr/local/bin/perl -w
+
+ use strict;
+ use Net::LDAPS;
+
+ my($Ad, $mesg, $uid, $pass, $npass, $dn, $rtn);
+
+ ($uid, $pass) = split(" ",<STDIN>);
+
+ if (($uid eq '') or ($pass eq '')) {
+ print "Uid and/or password missing in input\n";
+ exit 1;
+ }
+
+ print "Trying to set $uid to password $pass\n";
+
+ # Bind to the AD server
+
+ $Ad = Net::LDAPS->new("dc.test.uva.nl", version =3)
+ or print "Unable to connect to AD server\n", exit 2;
+ $Ad->bind(dn ="CN=ad,OU=Admin,DC=test,DC=uva,DC=nl", password =>
+ "gandalf")
+ or print "Unable to bind to AD server\n", exit 2;
+
+ # Do a AD lookup to get the dn for this user
+ # then change their password.
+
+ $mesg = $Ad->search(base ="DC=s-res,DC=uva,DC=nl", filter ="cn=$uid");
+ if($mesg->count != 1) {
+ print "AD lookup failed for user $uid\n";
+ exit 3;
+ }
+
+ # Add quotes and uniCode
+ map { $npass .= "$_\000" } split(//, "\"$pass\"");
+
+ # Now change it
+ $dn = $mesg->entry(0)->dn;
+
+ $rtn = $Ad->modify($dn, replace ={ "unicodePwd" =$npass });
+ if($rtn->{'resultCode'} != 0) {
+ print "User $uid, setting password failed\n";
+ exit 2;
+ }
+
+ print "Password for $uid changed in AD\n";
+ exit 0;
