Creating Active Directory Objects
mmatz at wyoarea.org
Fri Nov 9 14:36:34 CET 2007
Thank you to all who responded to my queries. I have been able to
successfully create an account and set the password for an AD user on
my test server. For those who are interested here is the breakdown of
what I did. As I continue to debug and test I will post updates to
Connected via SSL to the server. There is no need to manage
certificates on the client since I am not binding, only establishing
an LDAP connection. Certificate Services do need to be installed on
the server. In the future I plan to try to implement the sasl_bind
code that Michael mentioned. To create the account I performed an
ldap add and to set the password I performed a modify on the
unicodePwd attribute. This has appeared to work successfully. I am
able to authenticate as the newly created user, map a home directory,
etc. I will need to do further testing to ensure that this is a valid
method for creating an account.
Once again, thanks to all who provided input!
On Nov 9, 2007, at 4:35 AM, Michael Ströder wrote:
> Geert Jansen wrote:
>> Forget about using LDAP to change a user's password. It can be done
>> it requires 128-bit SSL and so you need to set up certificate
>> and distribute the CA certificate to your client. An easier way is to
>> use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3
>> later support this protocol. Unfortunately there is no command-line
>> interface to this call so you need to create a Python extension
>> for wrapping this call.
>> My (in progress) project FreeADI contains a wrapper for the Set
>> call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at
>> freeadi.org. The code is available under the liberal MIT license.
> If you're already on that route you might be interested in the
> heimdal-wrapper module by Univention. Its license is GPL. Not sure
> whether they support the Set Password protocol though.
> Ciao, Michael.
More information about the python-ldap