Creating Active Directory Objects

Geert Jansen geert at
Thu Nov 8 19:41:51 CET 2007

> Mike Matz wrote:
>> Thanks for the help guys.  It got me off to a great start.  I have
>> successfully created a user in my AD.  As you already eluded to, I am
>> struggling with the password attribute.  Can the password attribute
>> be set when creating a user.  From what I gathered, the password
>> attribute is 'unicodePwd'.

Forget about using LDAP to change a user's password. It can be done but
it requires 128-bit SSL and so you need to set up certificate services
and distribute the CA certificate to your client. An easier way is to
use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 and
later support this protocol. Unfortunately there is no command-line
interface to this call so you need to create a Python extension module
for wrapping this call.

My (in progress) project FreeADI contains a wrapper for the Set Password
call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at The code is available under the liberal MIT license.

The "userPassword" attribute is the Unix shadow hash, and is not used
for Kerberos.

Regards, Geert

More information about the python-ldap mailing list