Python 3.5, ldap3 and modify_password()

Question

I've been pulling my hair out trying to send a request to update my own password via a script. here is the code:

#!/usr/bin/python3.5

from ldap3 import Server, Connection, NTLM, ALL

server = Server('ldap://192.168.0.80', use_ssl=True)

conn = Connection(server, user="local\\dctest", password="Pa55word1", authentication=NTLM, auto_bind=True)

dn = "CN=dctest,CN=Users,DC=home,DC=local"

conn.extend.microsoft.modify_password(dn, new_password="Pa55word2", old_password="Pa55word1")

The error that i get is:

{'dn': '', 'type': 'modifyResponse', 'description': 'unwillingToPerform', 'referrals': None, 'result': 53, 'message': '00002077: SvcErr: DSID-03190E44, problem 5003 (WILL_NOT_PERFORM), data 0\\n\\x00'}

Any idea what I'm doing wrong?

I have full access to the DC and I've made sure that the passwords are correct etc. I've read all the docs and just can't get my head around it.

any help would be great!!

Answer 1

ldap3.modify_password() as of version 0.9.4.2 doesn't work with Active Directory, because it uses the Password Modify Extended Operation, which isn't supported by AD. MS found a way to do things different with AD , it seems. The ldap3 author (cannatag) was aware of this and added ad_modify_password() shortly after. You'll have to use a newer release of ldap3.

Answer 2

OK thank you to everyone for your help, and the developers on github.

the code i used to make this work in the end was...

from ldap3 import Server, Connection

server = Server('ldaps://<AD server address>', use_ssl=True)
conn = Connection(server, user="<domain>\\<username>", password="<current password>", auto_bind=True)

dn = 'CN=<username>,OU=Users,DC=<dominaname>'

res = conn.extend.microsoft.modify_password(dn, old_password='<current password>', new_password='<new password>')
print(res)

Thought i'd post the working solution as there doesn't seem to be any on the internets!! God speed my fellow devops people.

Answer 3

Try with ldaps:// instead of ldap://. or dont use the scheme at all and pass use_ssl=True in the Server definition. AD connection must use ssl to modify the password.

Answer 4

Which version of ldap3 are you using? From the source code of ldap3 version 2.2 it would seem to me that the function should be use in a similar way:

#!/usr/bin/python3.5
from ldap3 import Server, Connection, NTLM, ALL
server = Server('ldap://192.168.0.80', use_ssl=True)
conn = Connection(server, user="local\\dctest", password="Pa55word1", authentication=NTLM, auto_bind=True)
res = ldap3.extend.microsoft.modifyPassword(conn, user, "new_Pa55word2", "old_Pa55word1")