Net::LDAP -> Active Directory password change attribute failure

Okay, even using the code chunk from "the FAQ"(tm), trying to have a user
change their own password results in the error message:

  0000052D: AtrErr: DSID-03190F00, #1:
        0: 0000052D: DSID-03190F00, problem 1005 (CONSTRAINT_ATT_TYPE),
data 0, Att 9005a (unicodePwd)

from the $ldap->modify( changes=>{delect,add} ) operation. Have tried
numerous methods of encoding the password unicode (which all end up the
same result) as well as base64 encoding.

Strangely, if I use a "replace" operation instead of changes=>{delect,add},
it is accepted (tho i gotta bind as an admin user as well). Doesn't seem to
be a permission issue, as that would show up differently (such as using
"replace" without being an admin). What else could it be ?


  use Net::LDAP;
  use Unicode::Map8;
  use Unicode::String qw(utf16);

  my $oldPW = "oldpasswd";
  my $newPW = "newpasswd";

  my $charmap = Unicode::Map8->new('latin1')  or  die;
  my $oldUniPW = $charmap->tou('"'.$oldPW.'"')->byteswap()->utf16();
  my $newUniPW = $charmap->tou('"'.$newPW.'"')->byteswap()->utf16();

  my $ldap = Net::LDAP->new('ldaps://adserver.company.com')  or  die "$@";

  my $mesg = $ldap->bind('cn=usertest,cn=Users,dc=company,dc=com',
                         password => "DJ_120bpm");

  $mesg = $ldap->modify('cn=usertest,cn=Users,dc=company,dc=com',
                        changes => [
                            delete => [ unicodePwd => $oldUniPW ],
                            add    => [ unicodePwd => $newUniPW ] ]);
  die("Unable to reset Active Directory password: ".$mesg->error)
       if ($mesg->error ne "Success");


-ericb

0
ericb
1/25/2006 6:07:35 AM
perl.ldap 1268 articles. 0 followers. Follow

5 Replies
1564 Views

Similar Articles

[PageSpeed] 55

In the immortal words of Eric Berggren:

> Strangely, if I use a "replace" operation instead of changes=>{delect,add},
> it is accepted (tho i gotta bind as an admin user as well). Doesn't seem to
> be a permission issue, as that would show up differently (such as using
> "replace" without being an admin). What else could it be ?

AD requires that you use replace, not delete/add, for userPassword.
It's Just The Way It Is.

%%  Christopher A. Bongaarts  %%  cab@tc.umn.edu       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%
0
cab
1/25/2006 7:16:37 PM

In a process of deep contemplation, Christopher A Bongaarts carefully 
constructed the following missive on 1/25/2006 2:16 PM:
> In the immortal words of Eric Berggren:
> 
>> Strangely, if I use a "replace" operation instead of changes=>{delect,add},
>> it is accepted (tho i gotta bind as an admin user as well). Doesn't seem to
>> be a permission issue, as that would show up differently (such as using
>> "replace" without being an admin). What else could it be ?
> 
> AD requires that you use replace, not delete/add, for userPassword.
> It's Just The Way It Is.
> 

AND you can't replace unless you're Administrator.  Catch-22.


-- 
Justin Alcorn
justin@jalcorn.net
http://jalcorn.net/
0
justin
1/25/2006 7:29:44 PM
This is contrary to what I've read (and various forms of sample code,
including from the FAQ) and what had once worked a couple of months ago -
it seems that only an admin can replace whereas a user must delete/add.
Since then, OpenLDAP libraries have been upgraded from 2.1 to 2.2(27),
Net::LDAP from 0.31 to 0.33, and perl from 5.8.0 to 5.8.5 (rhel3 -> rhel4).
Supposedly nothing changed on the AD side, tho i'm suspecting the issue is
there.

Did you really mean "userPassword" as opposed to "unicodePwd" ?


regards,
-ericb

Christopher A Bongaarts wrote:

>>Strangely, if I use a "replace" operation instead of changes=>{delect,add},
>>it is accepted (tho i gotta bind as an admin user as well). Doesn't seem to
>>be a permission issue, as that would show up differently (such as using
>>"replace" without being an admin). What else could it be ?

> AD requires that you use replace, not delete/add, for userPassword.
> It's Just The Way It Is.
0
ericb
1/25/2006 8:19:27 PM
yay, *sigh* as it turns out there WAS a change made on the cAptive
Directory side that resulted in a password policy being enforced, wherein
an attribute error would make sense, but would think the numerical result
codes would change somewhat to reflect this rather than the same as a
malformed message.

So it works as it should and at least sanity is once again confirmed.

Thanks for everyone's input!
-ericb

0
ericb
1/25/2006 8:43:14 PM
In the immortal words of Eric Berggren:

> This is contrary to what I've read (and various forms of sample code,
> including from the FAQ) and what had once worked a couple of months ago -
> it seems that only an admin can replace whereas a user must delete/add.

That's possible; we only used Net::LDAP with admin rights.

> Did you really mean "userPassword" as opposed to "unicodePwd" ?

I misspoke (brain autocorrected to the standard attribute;),
unicodePwd is the right one for AD.

%%  Christopher A. Bongaarts  %%  cab@tc.umn.edu       %%
%%  Internet Services         %%  http://umn.edu/~cab  %%
%%  University of Minnesota   %%  +1 (612) 625-1809    %%
0
cab
1/26/2006 6:35:56 PM
Reply:

Similar Artilces:

Change Password in LDAP or active directory
Hello all,I am still new to asp.net so please bear with me. I am trying to use the change password wizard in VWD 2005 to change an LDAP or active directory password. When I test it I keep getting this error message "Password incorrect or New Password invalid. New Password length minimum: 6. Non-alphanumeric characters required: 0." I know that I am putting in the right password and using the right credentials. If I am not doing this right How do I fix it? Here is my web.config if needed. Thank you.<?xml version="1.0"?><configuration>    <ap...

One or more eDir to LDAP attribute mappings appear to be incorrect. Change attribute mappings through the LDAP
--____IYZLTTEASTICDGWKXZWG____ Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: base64 Content-Disposition: inline; modification-date="Fri, 6 Nov 2008 16:52:05 +0100" SGkuDQoNClJ1bm5pbmcgWkVOd29ya3MgTWlncmF0aW9uIFV0aWxpdHkgdjEwLjEuMS4wIGFuZCB0 cnlpbmcgdG8gTWlncmF0ZSBBcHBsaWNhdGlvbnMuDQoNCkJ1dCBqdXN0IGdldHMgdGhpcyBFcnJv ci4uLg0KT25lIG9yIG1vcmUgZURpciB0byBMREFQIGF0dHJpYnV0ZSBtYXBwaW5ncyBhcHBlYXIg dG8gYmUgaW5jb3JyZWN0LiBDaGFuZ2UgYXR0cmlidXRlIG1hcHBpbmdzIHRocm91Z2ggdGhlIExE QVAgDQoNCldpdGNoIHNob3VsZCBiZSBmaXhlZCBpbiB2ZXJzaW9uIDEwLjAuMyByZWdhcmRpbmcg dG8gV...

iFolder and Active Directory LDAPS (LDAP over SSL)
I am looking for some insight in getting my iFolder server communicating with an Active directory server over SSL for user Authentication. I am using iFolder 2.1.3 and Windows 2003SP1 on the servers for both iFolder server OS and Active Directory OS. I have installed the root cert for the domain on the iFolder server. When I use the iFolder installer I can extend the schema of the directory structure over 636 using SSL without any problems, it connects and looks good. When iFolder starts the logfile has the following entries Starting iFolder server, version 2.1.3 [04/06/01] Conf...

How do I retrieve operational attributes for an LDAP entry using Net::LDAP?
how do I retrieve the values for 'creatorsName','createTimestamp', 'modifiersName', 'modifyTimestamp' using Net::LDAP module? pleae help ===== use Net::LDAP; use Net::LDAP::Util qw(ldap_error_text ldap_error_name ldap_error_desc); $host='xxxx.com'; $rdn='cn=manager,dc=xxxx,dc=com'; $ldappasswd='123456'; my $ldap=new Net::LDAP($host) or die; my $mesg=$ldap->bind("$rdn",password=>"$ldappasswd",version => 3) or die; my $mesg=$ldap->search(base=>"ou=people,dc=xxxx,dc=com",scope=>...

Changing passwords in active directory from asp.net
This is a followup post to using active directory for user validation.  I have been successful in making the validateUser method work, but am having trouble getting the changePassword function to work.  It seems that it has worked at least once, (perhaps the the very first time i try it), but usually fails.  I have verified that the password did actually change in active directory when it worked.   When I try a second time, I get the error "The password supplied is invalid. Passwords must conform to the password strength requirements configured for the defa...

Net::LDAP, Active Directory and Disabled Users
------_=_NextPart_001_01C386CB.502F3B30 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I've been trying to write a simple perl script that will query the = active directory via LDAP and give me a list of email addresses for disabled = users (eg, addresses we don't want to accept email for anymore). I found a = website or two that suggested I use the following as my filter: (&(objectCategory=3Dperson)(userAccountControl:1.2.840.113556.1.4.803:=3D= 2)) I was beginning to think these websites were wrong as whene...

4 issues with Net::LDAP and Active Directory
------_=_NextPart_001_01C74A47.D441C220 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have 4 issues which I do not understand and I have searched the Net::LDAP documentation up and down and cannot figure it out. =20 1. pwdLastSet is only available for the DN of the user who is logged in. (That seems a little odd, why is that?) and yes I logged in as another user using LDAP and it was available for them and not me. =20 2. pwdLastSet is some Active Directory timestamp (Why oh why cant Microsoft just use utc like ev...

make Net::LDAP::LDIF more similar to Net::LDAP
Hi Graham, hi Chris, hi list, I would like to rework Net::LDAP::LDIF a bit so that its API resembles that of Net::LDAP a bit more while still keeping the traditional API. The reason for this is that in application I often need to distinguish between Net::LDAP and Net::LDAP::LDIF because some methods are only implemented on one side. I\'d like to start with a code() method that tries to mimic the Net::LDAP one and I\'d like to extend the Net::LDAP::Entry->update() method so that it takes a Net::LDAP::LDIF object as an argument. The latter one requires a...

LDAP attribute Map / LIst / extend the LDAP attributes
we are use ladp on netware 65, is there a list of the LDAP attributes avaliable that are used for eDirectory 8.7? is it possible to create a ldap attribute that contains more that one edirectory attribute content and extend it with a static variable? any ideas HELGE -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Most eDirectory attributes are available natively by their name (minus spaces and special characters). For example fullname works to retrieve the 'Full Name' and givenname works for 'Given Name' and sasloginconfiguration works for 'SAS:...

RE: Net::LDAP, Active Directory and Disabled Users
Version of Perl:=20 5.8.0 (as supplied with RedHat9) Version of Net::LDAP: [jsteenha@jake utilities]$ perl -mNet::LDAP -e 'print = "$Net::LDAP::VERSION\n"' 0.29 Relevant part of Perl code: #!/usr/bin/perl use Net::LDAP; use Net::LDAP::Filter; $filter =3D = '(&(objectCategory=3Dperson)(userAccountControl:1.2.840.113556.1.4.803:=3D= 2))'; #$filter =3D '(objectCategory=3Dperson)'; $f =3D new Net::LDAP::Filter; $f->parse($filter); $f->print(); #exit; my $ldap =3D Net::LDAP->new('acutex-dc01'); my $mesg =3D $...

Using LDAP to allow Active Directory to manage passwords
We have an Active Directory domain and run Groupwise on Netware. We have a new CIO that would like to be able to change her password in AD and have it changed GW's password as well. Can I do this using LDAP? * Raywi1@hotmail.com, to actually change the GW password, you'd need something like Novell Identity Manager to synchronize them. Groupwise is able to authenticate against an LDAP compliant directory like AD though. Check the manuals. Uwe -- Novell Support Connection Volunteer SysOp Please don't send me support related e-mail unless I ask you to do so. We us...

Net::LDAP, Active Directory and Disabled Users #2
I've been trying to write a simple perl script that will query the active directory via LDAP and give me a list of email addresses for disabled users (eg, addresses we don't want to accept email for anymore). I found a website or two that suggested I use the following as my filter: (&(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)) I was begining to think these websites were wrong as whenever I tried this filter, I'd go no results. With other filters, I'd get the results I'd expect to get. I then tried that filter in a couple other appli...

[Fwd: make Net::LDAP::LDIF more similar to Net::LDAP]
--------------95D5815B06BDC2BD1A0ABFEB Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------95D5815B06BDC2BD1A0ABFEB Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <40C7B13E.8864E5A0@cs.adelaide.edu.au> Date: Thu, 10 Jun 2004 10:54:22 +1000 From: Sion Camilleri <sion@cs.adelaide.edu.au> Reply-To: sion@cs.adelaide.edu.au X-Mailer: Mozilla 4.8 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Graham Barr <gbarr@pobox.com>...

Getting User List from Active Directory using LDAP with Asp.Net
Dear All, Did any body worked on the below process? Getting User List from Active Directory using LDAP with Asp.Net. If Yes, Can u pls guide me to proceed? warm regards, Minor. Not sure if that was supposed to be a hyperlink or not in your post.  However, you should start with the first post in this forum for common patterns.  You are looking for all users, so you can use "(&(objectClass=user)(objectCategory=person))" as your search filter.  Ryan DunnWeblog The BookLDAP Programming Help...

Fw: Re: make Net::LDAP::LDIF more similar to Net::LDAP
Am 08.06.2004 um 18:29 Uhr haben Sie geschrieben: > On 8 Jun 2004, at 16:56, peter@adpm.de wrote: > > I\'d like to start with a code() method that tries to mimic the >> Net::LDAP one and >I assume you mean better error handling ? My first goal is having a code() method in Net::LDAP::LDIF. > > I\'d like to extend the > > Net::LDAP::Entry->update() method so that it takes a > > Net::LDAP::LDIF object as an argument. The latter one > > requires a bit of work in Net::LDAP::LDIF to make it > > correct. > Not su...

Web resources about - Net::LDAP -> Active Directory password change attribute failure - perl.ldap

Resources last updated: 1/21/2016 10:53:06 AM