stackoom
  简体   繁体   中英

How can I change password for domain user(windows Active Directory) using Python?

 原文  2014-01-02 03:06:18       python/ active-directory/ ldap

Question

How can I change the password for a domain user with Python? I have the ldap modules on board but have no solution. I managed to query the current settings via ldap, but how can modify it? 

import ldap
import sys

host = 'ldap://10.172.0.79'

con = ldap.initialize(host)
BIND_DN = "administrator@biztalk.com"
BIND_PASS = "a-123456"
con.set_option( ldap.OPT_X_TLS_DEMAND, True )
con.set_option( ldap.OPT_DEBUG_LEVEL, 255 )

PASSWORD_ATTR = "unicodePwd"
username="bizadmin"
user_dn = "CN=%s,OU=User,OU=biztalk,DC=biz-talk,DC=com" % username
password = 'New12345'

# Set AD password
unicode_pass = unicode("\"" + password + "\"", "iso-8859-1")
password_value = unicode_pass.encode("utf-16-le")
add_pass = [(ldap.MOD_REPLACE, PASSWORD_ATTR, [password_value])]

# Replace password
try:
    con.modify_s(user_dn, add_pass)
    print "Active Directory password for", username, "was set successfully!"
except ldap.LDAPError, e:
    sys.stderr.write('Error setting AD password for: ' + username + '\n')
    sys.stderr.write('Message: ' + str(e) + '\n')
    sys.exit(1)

error

pydev debugger: starting

Error setting AD password for: bizadmin

Message: {'desc': "Can't contact LDAP server"}

Python change domain(Microsoft Active Directory) user's password.

...requires certification services between python and domain?

Could you have any good ways to deal with it?

Thank you!

3 answers

solution1
 2  2017-05-25 09:19:43

This code is working with Windows 2012 R2 AD:

First install latest ldap3 package: sudo pip install ldap 

#!/usr/bin/python

import ldap3

SERVER='127.0.0.1'
BASEDN="DC=domain,DC=com"
USER="user_domain_login_name@domain.com"
CURREENTPWD="current_password"
NEWPWD="new_password"

SEARCHFILTER='(&(userPrincipalName='+USER+')(objectClass=person))'

USER_DN=""
USER_CN=""

ldap_server = ldap3.Server(SERVER, get_info=ldap3.ALL)
conn = ldap3.Connection(ldap_server, USER, CURREENTPWD, auto_bind=True)
conn.start_tls()
#print conn
conn.search(search_base = BASEDN,
         search_filter = SEARCHFILTER,
         search_scope = ldap3.SUBTREE,
         attributes = ['cn', 'givenName', 'userPrincipalName'],
         paged_size = 5)

for entry in conn.response:
    if entry.get("dn") and entry.get("attributes"):
        if entry.get("attributes").get("userPrincipalName"):
            if entry.get("attributes").get("userPrincipalName") == USER:
                USER_DN=entry.get("dn")
                USER_CN=entry.get("attributes").get("cn")

print "Found user:", USER_CN
print USER_DN
print ldap3.extend.microsoft.modifyPassword.ad_modify_password(conn, USER_DN, NEWPWD, CURREENTPWD,  controls=None)

solution2
 1 ACCPTED  2014-01-02 10:58:00

Python is not my language, but changing the Active-Directory password via LDAP is something I do.

As far as your URL is concerned :

Your LDAP URL should be like : 

host = 'LDAP://10.172.0.79/dc=directory,dc=example,dc=com'

With 'LDAP' and not 'ldap' and the good directory path behind.

As far as the password is concerned :

First : As far as I understand you can change the AD pasword unicode_pass only if you server has a certificate and if you contact if via LDAPS (SSL).

Second : the password is given with double qote password test.2006 becomes "test.2006".

Third : the resutl must be coded in unicode.

Edited :

Once you have installed Certificate Server you just have to reboot your server to have AD waiting on port 636 (LDAPS). On Python side, here is what I found : 

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
l = ldap.initialize("LDAPS://10.172.0.79:636")
l.set_option(ldap.OPT_REFERRALS, 0)
l.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
l.set_option(ldap.OPT_X_TLS,ldap.OPT_X_TLS_DEMAND)
l.set_option( ldap.OPT_X_TLS_DEMAND, True )
l.set_option( ldap.OPT_DEBUG_LEVEL, 255 )
l.simple_bind_s("admin@tester.com","password")

solution3
 0  2014-02-07 14:58:48

The password change code looks perfect.

you are not binding after initialize. bind is a must. 

con.simple_bind_s(user, pass)

Also, for starters you can ignore certificate errors for bind by setting this option. Once you are able to update password, you can harden the certificate thingy if you want. 

con.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can I add group in user profile in Active Directory with python? Change windows user password with python How can I modify password expiration in Windows using Python? Update Active Directory Password using ldap python Change Windows password using Python How to create a new user in Active directory using Python pyad module Changing Active Directory user password in Python 3.x How can I use Windows authentication in a Python script instead of prompting the user for input or storing the password? How can I secure folder access to the user in windows using python How can I change directory with Python pathlib
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM