Error - UNWILLING_TO_PERFORM - while change user password in AD ldap using python code

Question

I am creating a simple python function to change the user password. I have tested my AD set up, able to search the user and get correct response but when try to run l.modify_s, I get the below error. AD user has the required permissions. Not sure why am I getting this error.

Any help will be great. Please let me know if you need any more information or code as well to understand the issue better.

  "errorType": "**UNWILLING_TO_PERFORM**",
  "errorMessage": "{'info': u'0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\\n', 'msgid': 3, 'msgtype': 103, 'result': 53, 'desc': u'Server is unwilling to perform', 'ctrls': []}"
}```

Please find my code below

``` import ldap
import os
import boto3
import random
import string

from base64 import b64decode

import ldap

def lambda_handler(event, context): 
    try:
        cert = os.path.join('/Users/marsh79/Downloads', 'Serverssl.cer')
        print "My cert is", cert
        # LDAP connection initialization
        l = ldap.initialize('ldap://example.corp.com')
        # Set LDAP protocol version used
        l.protocol_version = ldap.VERSION3
        #Force cert validation
        l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
        # Set path name of file containing all trusted CA certificates
        l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
        # Force libldap to create a new SSL context (must be last TLS option!)
        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

        bind = l.simple_bind_s("admin@corp.example.com", "secret_pass")
 
        base = "OU=Enterprise,OU=Users,OU=corp,DC=corp,DC=example,DC=com"
        criteria = "(objectClass=user)"
        attributes = ['distinguishedName']
        result = l.search_s(base, ldap.SCOPE_SUBTREE, criteria, attributes)
 
        results = [entry for dn, entry in result if isinstance(entry, dict)]
        
        new_password='secretpass_new'
        unicode_pass = unicode('\"' + new_password + '\"', 'iso-8859-1')
        password_value = unicode_pass.encode('utf-16-le')
        add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
        
        print "My result distinguishedName1:", results[0]['distinguishedName'][0]
        print "My result distinguishedName2:", results[1]['distinguishedName'][0]

        
        l.modify_s(results[0]['distinguishedName'][0],add_pass)
        
        print results
        
    finally:
        l.unbind()

I have checked multiple things

1. Password complexity is good
2. Enabled secured ldap on my AD server and tested this using ldp.exe and I can connect using port 636
3. I am able to run this code if I just need to search the user. I get the search results.
4. But when I try to modify the password, it breaks and my head is just throwing up to work out where it is going wrong:X

Answer 1

I'm not a Python programmer, but I know how AD and LDAP works. It's probably still not connected via LDAPS. From examples I've seen online, you might need to specify ldaps:// :

l = ldap.initialize('ldaps://<server name>.corp.example.com')

Or possibly the port as well:

l = ldap.initialize('ldaps://<server name>.corp.example.com:636')

You don't need to supply the cert file on the client side, but the issuer of the certificate on the server must be trusted by the client computer. I guess that's what you're trying to do with cert . But you may not have to. Try without that and see what happens. If you're running this on Windows, it may use the Trusted Certificate Store from Windows itself and it should work as long as the server isn't using a self-signed cert.