简体繁体 English

允许AD用户使用Python ldap3更改自己的密码

[英]Allow AD users to change their own passwords using Python ldap3

原文 2018-09-21 05:19:18 1 1 python/ active-directory/ ldap/ ldap3

I am using Python ldap3[1] to build an API that allows users to change their Microsoft Active Directory passwords using their current credentials. 我正在使用Python ldap3 [1]构建一个API，该API允许用户使用其当前凭据更改其Microsoft Active Directory密码。 This is what my API is doing: 这是我的API正在执行的操作：

1- Create LDAP connect and bind to LDAP server: 1-创建LDAP连接并绑定到LDAP服务器：

tls_config = Tls(validate=ssl.CERT_NONE) server = Server(ldaps_endpoint, port = 636, use_ssl = True, tls = tls_config) connection = Connection(server, user=username, password=password, authentication='NTLM') connection.bind()

2- Change password using extend.microsoft.modifyPassword.ad_modify_password() ldap3 function: 2-使用extend.microsoft.modifyPassword.ad_modify_password() ldap3函数更改密码：

user_modified = extend.microsoft.modifyPassword.ad_modify_password(connection, user_dn, new_password, current_password)

This works fine when the user flag change password on next logon is not set. 当未设置下次登录时的用户标志更改密码时，此方法可以正常工作。 When it is set, it does not work because the connection fails to bind() . 设置后，由于连接失败bind() ，因此它不起作用。 I tried using an ANONYMOUS connection instead of NTLM which binds successfully. 我尝试使用ANONYMOUS连接而不是NTLM成功绑定。 However, the ad_modify_password() function fails with: 但是， ad_modify_password()函数失败并显示：

In order to perform this operation a successful bind must be completed on the connection 为了执行此操作，必须在连接上完成成功的绑定

How is ad_modify_password() supposed to work with change password on next logon flag ? ad_modify_password()如何与下一个登录标志上的更改密码一起使用 ？

[1] https://ldap3.readthedocs.io/ [1] https://ldap3.readthedocs.io/

1 个解决方案

It's not -- and that's not something particular to Python. 不是-但这不是Python特有的。 Microsoft shipped an ASP-based user password change web site you could run on a domain controller, and MS's site had the same limitation. Microsoft提供了一个可以在域控制器上运行的基于ASP的用户密码更改网站，并且MS的网站具有相同的限制。 If the user's password had already expired, or the user needed to change their password on next logon, you're stuck. 如果用户的密码已经过期，或者用户需要在下次登录时更改其密码，那么您将陷入困境。

Two approaches: 两种方法：

(1) Build a self-service password reset functionality that authenticates the user against something other than their AD account password -- hashed attributes stored on their user object, challenge/response questions that get stored in a database table, etc. Provided the user passes the secondary authentication, admin credentials are used to reset the password. （1）构建自助密码重置功能，以针对用户的AD帐户密码以外的其他内容对用户进行身份验证-存储在其用户对象上的哈希属性，存储在数据库表中的质询/响应问题等。通过二级身份验证后，将使用管理员凭据重置密码。

(2) Specifically for users that must change password on next logon, the pwdLastSet attribute will be set to '0' when the user must change their password. （2）特别是对于必须在下次登录时更改密码的用户，当用户必须更改其密码时，pwdLastSet属性将设置为“ 0”。 Using a system credential with 'write' access to the value, modify that value to -1. 使用具有“写入”值访问权限的系统凭证，将该值修改为-1。 Then bind with the account and password the user has supplied. 然后绑定用户提供的帐户和密码。 If the bind fails, set pwdLastSet back to 0. If the bind passes, change the password. 如果绑定失败，则将pwdLastSet设置回0。如果绑定通过，则更改密码。

#1 is more time/effort, but sorts people with expired passwords, people who need to change password on next login, people who are locked out, and people who have forgotten their password. ＃1可以节省更多时间/精力，但是可以对密码过期的用户，下次登录时需要更改密码的用户，被锁定的用户以及忘记密码的用户进行排序。 The "people who have forgotten their password / gotten locked out" tend to be the big win -- reducing help desk calls can offset the time/money put into self-service password reset development. “忘记密码/被锁定的人”往往是一个大赢家-减少服务台呼叫可以抵消投入自助密码重置开发的时间/金钱。

#2 is far simpler but only handles the single scenario you present. ＃2简单得多，但只处理您提出的单个方案。 If there's a max password age defined for the domain (or a fine grained password policy that establishes a max password age for some user accounts), users with expired creds may still be stuck. 如果为域定义了最长密码使用期限（或为某些用户帐户建立了最长密码使用期限的细粒度密码策略），则具有过期凭据的用户可能仍会卡住。