Creating Active Directory Objects
michael at stroeder.com
Thu Nov 8 19:02:11 CET 2007
David Leonard wrote:
> As far as I understand it, the unicodePwd attribute is the NT hash of
> the user's password.
I don't think so when setting it. Maybe it contains the NT hash
afterwards, but conversion is probably done internally.
It seems you need to combine ldap.MOD_DELETE with old password and
ldap.MOD_ADD with new password when setting unicodePwd yourself and
ldap.MOD_REPLACE when setting it for another account. Additionally you
have to use quotes around it. And furthermore it has to be
UTF-16-encoded (low endian). MS docs are usually poorly written.
> Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's
> LDAP. It should be a lot easier to manage than SSL certs.
The SSL certs are not used to bind to AD in this case. Rather they are
just used to connect over SSL (ldaps://).
More information about the python-ldap