使用ldap python更新Active Directory密码
[英]Update Active Directory Password using ldap python
问题描述
Basically trying to reset the user's password using LDAP python. 
基本上是尝试使用LDAP python重置用户密码。 I've gone through various posts here but no luck :(. 我在这里浏览过各种文章,但没有运气:(。
Tried using : 尝试使用:
a) modify_s() - returns "No such object" every time.
a) Modify_s() -每次都返回“没有这样的对象”。 Tried with different user DN. 尝试使用其他用户DN。 {'info': "0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:\\n\\t'DC=mydomain,DC=com'\\n", 'matched': 'DC=mydomain,DC=com', 'desc': 'No such object'}
{'info':“ 0000208D:NameErr:DSID-0310020A,问题2001(NO_OBJECT),数据0,最佳匹配项:\\ n \\ t'DC = mydomain,DC = com'\\ n”,“ matched”:“ DC = mydomain,DC = com','desc':'没有这样的对象'} Here is the code Snippet:
这是代码段: def changePassword(userEmail, oldPassword, newPassword): try: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) ldap_client = ldap.initialize("ldap://127.0.01.1:389") ldap_client.set_option(ldap.OPT_REFERRALS, 0) ldap_client.set_option(ldap.OPT_PROTOCOL_VERSION, 3) ldap_client.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND) ldap_client.set_option( ldap.OPT_X_TLS_DEMAND, True ) ldap_client.set_option( ldap.OPT_DEBUG_LEVEL, 255 ) ldap_client.simple_bind_s(ADMIN_EMAIL, ADMIN_PASSWORD) # Set AD password #unicode_pass = unicode('\\"' + newPassword + '\\"', "iso-8859-1") unicode_pass = newPassword password_value = unicode_pass.encode("utf-16-le") add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value]),( ldap.MOD_REPLACE, 'unicodePwd', [password_value])] # Replace password try: user_dn = 'CN=%s,DC=mydomain,DC=com' % username ldap_client.modify_s(user_dn, add_pass) print "Active Directory password for", username, \\ "was set successfully!" except ldap.LDAPError, e: sys.stderr.write('Error setting AD password for: ' + username + '\\n') sys.stderr.write('Message: ' + str(e) + '\\n') ldap_client.unbind_s() return 'SOME_PROBLEM' ldap_client.unbind_s() return 'AUTHENTICATED' except ldap.INVALID_CREDENTIALS: ldap_client.unbind() return 'INVALID_CREDENTIALS' except ldap.SERVER_DOWN: return 'SERVER_UNAVAILABLE'b)
passwd(userEmail, oldPassword, newPassword).b) passwd(userEmail, oldPassword, newPassword)。 It gets executed well but password is not updated.它执行得很好,但密码未更新。
Need help in identifying the problem. 需要帮助确定问题。
Reference Links: Python+LDAP+SSL 参考链接: Python + LDAP + SSL
python-ldap and Microsoft Active Directory: connect and delete user python-ldap和Microsoft Active Directory:连接并删除用户
how to set lockoutTime and password of a user of Active Directory 如何设置Active Directory用户的锁定时间和密码
How can I change password for domain user(windows Active Directory) using Python? 如何使用Python更改域用户(Windows Active Directory)的密码?
https://groups.google.com/forum/#!topic/macromedia.coldfusion.security/Rq7xx15OeBs https://groups.google.com/forum/#!topic/macromedia.coldfusion.security/Rq7xx15OeBs
http://www.grotan.com/ldap/python-ldap-samples.html#add http://www.grotan.com/ldap/python-ldap-samples.html#add
http://marcitland.blogspot.in/2011/02/python-active-directory-linux.html http://marcitland.blogspot.in/2011/02/python-active-directory-linux.html
https://snipt.net/Fotinakis/change-active-directory-password-via-ldap-modify-call/ https://snipt.net/Fotinakis/change-active-directory-password-via-ldap-modify-call/
3 个解决方案
解决方案1
1 2016-08-26 08:05:59
I think below program helpful for you.. windows active directory use password attribute as unicode method https://technet.microsoft.com/en-us/magazine/ff848710.aspx
import ldap
import ldap.modlist as modlist
import base64
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l = ldap.initialize('ldaps://exam.local')
l.simple_bind_s('Administrator@exam.local', 'p@ssw0rd1')
dn="cn=map6,ou=Police,dc=exam,dc=local"
new_password='p@ssw0rd3'
unicode_pass = unicode('\"' + new_password + '\"', 'iso-8859-1')
print (unicode_pass)
password_value = unicode_pass.encode('utf-16-le')
add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
print (password_value)
l.modify_s(dn, add_pass)
l.modify_s(dn, add_pass)
l.unbind_s()
解决方案2
0 2016-09-03 20:13:58
From what I can see is that you user_dn is not correctly set. 从我可以看到的是,您的user_dn设置不正确。 Double check and ensure you full DN actually exists in the Directory Server. 仔细检查并确保目录服务器中实际存在完整的DN。 Check your username variable is correctly parsed (No newline or tab characters) and the Base DN is verified. 检查您的用户名变量是否已正确解析(没有换行符或制表符),并且验证了基本DN。
sys.stderr.write('Error setting AD password for: ' + username + '\n')
sys.stderr.write('DN: ' + user_dn + '\n')
sys.stderr.write('Message: ' + str(e) + '\n')
The error message is pretty clear that AD cannot find the object (DN) it wishes to modify **(NO_OBJECT) 错误消息非常清楚,AD无法找到它想要修改的对象(DN)**(NO_OBJECT)
{'info': "0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT),
data 0, best match of:\n\t'DC=mydomain,DC=com'\n", 'matched':
'DC=mydomain,DC=com', 'desc': 'No such object'}
解决方案3
0 2018-11-05 08:47:16
I had the very same issue and decided to ask on Server Fault. 我遇到了同样的问题,并决定询问服务器故障。 The answer I got helped me to figure out what was wrong in my code. 我得到的答案帮助我找出了代码中的错误。 To summarize, there is 2 diifferent methods to update an AD password: 1 for regular user updating his own password, and another 1 for administrator (or any account with sufficient access rights) resetting the password for another user. 总而言之,有两种更新AD密码的方法:一种用于普通用户更新自己的密码,另一种用于管理员(或具有足够访问权限的帐户)为另一用户重置密码。
Method 1: User update his own password 方法1:用户更新自己的密码
ad_server = "ldaps://ad.xxx_domain.com"
ad_dn = "CN={0},OU=Users,OU=AF,DC=xxx_domain,DC=com"
username = 'my_username'
old_pwd = 'the_old_pa55word'
new_pwd = 'the_new_pa55word'
cert = os.path.join('/path', "to", 'server_cert.cer')
# LDAP connection initialization
l = ldap.initialize(ad_server)
# Set LDAP protocol version used
l.protocol_version = ldap.VERSION3
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
# Force libldap to create a new SSL context (must be last TLS option!)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
# Bind
l.simple_bind_s(ad_dn.format(username), old_pwd)
# Now, perform the password update
oldpwd_utf16 = '"{0}"'.format(old_pwd).encode('utf-16-le')
newpwd_utf16 = '"{0}"'.format(new_pwd).encode('utf-16-le')
mod_list = [
(ldap.MOD_DELETE, "unicodePwd", oldpwd_utf16),
(ldap.MOD_ADD, "unicodePwd", newpwd_utf16),
]
l.modify_s(ad_dn.format(username), mod_list)
Method 2: Admin account update regular user's password 方法2:管理员帐户更新普通用户的密码
ad_server = "ldaps://ad.xxx_domain.com"
ad_dn = "CN={0},OU=Users,OU=AF,DC=xxx_domain,DC=com"
admin_username = "i_am_the_admin"
admin_password = "admin123"
username = 'my_username'
new_pwd = 'the_new_complicated_password'
cert = os.path.join('/path', "to", 'server_cert.cer')
# LDAP connection initialization
l = ldap.initialize(ad_server)
# Set LDAP protocol version used
l.protocol_version = ldap.VERSION3
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
# Force libldap to create a new SSL context (must be last TLS option!)
l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
# Bind (as admin user)
l.simple_bind_s(ad_dn.format(admin_username), admin_password)
# Now, perform the password update
newpwd_utf16 = '"{0}"'.format(new_pwd).encode('utf-16-le')
mod_list = [
(ldap.MOD_REPLACE, "unicodePwd", newpwd_utf16),
]
l.modify_s(ad_dn.format(username), mod_list)
Please note that the second method needs to Bind with a different account (with sufficient rights) but allows to set the new password without re-typing the old one. 请注意,第二种方法需要与其他帐户绑定(具有足够的权限),但允许设置新密码而无需重新键入旧密码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.