ldap.passwd_s with Active Direcory

Mike.Peters at opengi.co.uk Mike.Peters at opengi.co.uk
Tue Aug 4 18:47:52 CEST 2009


Michael,

Thanks for the quick response, much appreciated. I guess I've been barking up the wrong tree then :)

If I try the alternative method however:

mod_attrs = [( ldap.MOD_REPLACE, 'unicodePwd', 'password' )]
dn = 'CN=Barney Rubble,OU=Users,DC=mydomain,dc=local'
r = l.modify_s(dn, mod_attrs)

I get:

{'info': '0000001F: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0\n', 'desc': 'Server is unwilling to perform'}

I guess I'm still missing something :(

One thing which may be relevant is if I use l.start_tls_s() before simple_bind_s, the login fails although without start_tls_s Wireshark shows the connection to be encrypted.

Thanks again

Mike Peters


> -----Original Message-----
> From: Michael Ströder [mailto:michael at stroeder.com]
> Sent: 04 August 2009 17:29
> To: Mike Peters
> Cc: python-ldap-dev at lists.sourceforge.net
> Subject: Re: ldap.passwd_s with Active Direcory
> 
> Mike.Peters at opengi.co.uk wrote:
> >
> > I'm not sure if this is the right place for this query, but I
> couldn't
> > find a python-LDAP-Users list.
> >
> > I'm trying to modify a user's password on an Windows 2003 Active
> > directory using passwd_s, however the server is returning the
> following
> > error:
> >
> > {'info': '0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended
> > request OID, data 0, vece', 'desc': 'Protocol error'}
> >
> > I realise this is a server configuration thing as opposed to a
> > python-ldap issue, but google hasn't been any help so far. Does
> anyone
> > here know what it is I need to enable/change in order to get it to
> work?
> 
> This is because Windows 2003 AD does not support the LDAP Password
> Modify
> Extended Operation (see RFC 3062).
> 
> > The connection is using ldaps:// on port 636 and I can search the AD
> and
> > modify other values eg givenName etc, just not passwords, and I'm
> > binding as domain administrator.
> 
> There's a MSDN article about how to set attribute unicodePwd via LDAP
> in AD.
> 
> Ciao, Michael.



More information about the python-ldap mailing list