Creating Active Directory Objects

Mike Matz mmatz at
Thu Nov 8 14:41:49 CET 2007

Thanks for your input David.  I will read through the MSDN articles to  
see if they provide me with any inside.  I am not familiar with using  
SASL/GSSAPI/Kerberos to bind to AD's LDAP.  Could you possibly provide  
me with a few steps to accomplish this?

On Nov 8, 2007, at 7:48 AM, David Leonard wrote:

> Hi, Mike
> I think AD uses an extension to the Kerberos protocol to change the  
> password of a user. See
> As far as I understand it, the unicodePwd attribute is the NT hash  
> of the user's password. (See 
> .
> Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to  
> AD's LDAP. It should be a lot easier to manage than SSL certs.
> David
> Mike Matz wrote:
>> Thanks for the help guys.  It got me off to a great start.  I have  
>> successfully created a user in my AD.  As you already eluded to, I  
>> am struggling with the password attribute.  Can the password  
>> attribute be set when creating a user.  From what I gathered, the  
>> password attribute is 'unicodePwd'.  This attribute cannot be  
>> created, it can only be modified.  Is this attribute created by  
>> default when a user is created?  Would I be able to do an add and  
>> then a modify to set the password?  I am aware of the fact that  
>> there are certain restrictions in place in order to modify the  
>> password.  I have setup my AD to include SSL and I am able to bind  
>> as Administrator over port 636.  With that said one of the examples  
>> I ran across for adding a user refers to another attribute  
>> 'userPassword'.  I am unable to tell what this attribute is.  In  
>> the link below, it appears that the password is being set when the  
>> entry is added.  I have tried this unsuccessfully.  I appreicate  
>> all the help thus far.
>> Regards,
>> Mike
>> Example Add Entry -
>> -----Original Message-----
>> From: Geert Jansen [mailto:geert at]
>> Sent: Wed 11/7/2007 1:50 PM
>> To: Michael Ströder
>> Cc: Mike Matz; python-ldap-dev at
>> Subject: Re: Creating Active Directory Objects
>> Michael Ströder wrote:
>> > I vaguely remember that there are some issues with really  
>> activating a
>> > user entry as a Windows user. But this is not a problem of  
>> accessing AD
>> > via python-ldap.
>> >
>> This indeed rings a bell. You need to create the user as disabled  
>> (look
>> for userAccountControl on MSDN), set a compliant password, and then
>> enable him.
>> Regards,
>> Geert
> -- 
> David Leonard                           d at
>                                         Ph:+61 404 844 850

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the python-ldap mailing list