Creating Active Directory Objects

Michael Ströder michael at
Thu Nov 8 19:02:11 CET 2007

David Leonard wrote:
> As far as I understand it, the unicodePwd attribute is the NT hash of
> the user's password.

I don't think so when setting it. Maybe it contains the NT hash
afterwards, but conversion is probably done internally.

It seems you need to combine ldap.MOD_DELETE with old password and
ldap.MOD_ADD with new password when setting unicodePwd yourself and
ldap.MOD_REPLACE when setting it for another account. Additionally you
have to use quotes around it. And furthermore it has to be
UTF-16-encoded (low endian). MS docs are usually poorly written.

> Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's
> LDAP. It should be a lot easier to manage than SSL certs.

The SSL certs are not used to bind to AD in this case. Rather they are
just used to connect over SSL (ldaps://).

Ciao, Michael.

More information about the python-ldap mailing list