Creating Active Directory Objects

Mike Matz mmatz at wyoarea.org
Fri Nov 9 14:36:34 CET 2007


Thank you to all who responded to my queries.  I have been able to  
successfully create an account and set the password for an AD user on  
my test server.  For those who are interested here is the breakdown of  
what I did.  As I continue to debug and test I will post updates to  
this topic.

	Connected via SSL to the server.  There is no need to manage  
certificates on the client since I am not binding, only establishing  
an LDAP connection.  Certificate Services do need to be installed on  
the server.  In the future I plan to try to implement the sasl_bind  
code that Michael mentioned.  To create the account I performed an  
ldap add and to set the password I performed a modify on the  
unicodePwd attribute.  This has appeared to work successfully.  I am  
able to authenticate as the newly created user, map a home directory,  
etc.  I will need to do further testing to ensure that this is a valid  
method for creating an account.

Once again, thanks to all who provided input!
Regards,
Mike


On Nov 9, 2007, at 4:35 AM, Michael Ströder wrote:

> Geert Jansen wrote:
>>
>> Forget about using LDAP to change a user's password. It can be done  
>> but
>> it requires 128-bit SSL and so you need to set up certificate  
>> services
>> and distribute the CA certificate to your client. An easier way is to
>> use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3  
>> and
>> later support this protocol. Unfortunately there is no command-line
>> interface to this call so you need to create a Python extension  
>> module
>> for wrapping this call.
>>
>> My (in progress) project FreeADI contains a wrapper for the Set  
>> Password
>> call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at
>> freeadi.org. The code is available under the liberal MIT license.
>
> If you're already on that route you might be interested in the
> heimdal-wrapper module by Univention. Its license is GPL. Not sure
> whether they support the Set Password protocol though.
>
> Ciao, Michael.
>
> 


More information about the python-ldap mailing list