Creating Active Directory Objects
David Leonard
d at adaptive-enterprises.com.au
Thu Nov 8 13:48:20 CET 2007
Hi, Mike
I think AD uses an extension to the Kerberos protocol to change the
password of a user. See
http://msdn2.microsoft.com/en-us/library/ms808911.aspx
As far as I understand it, the unicodePwd attribute is the NT hash of
the user's password. (See
http://msdn2.microsoft.com/en-us/library/ms680513.aspx).
Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's
LDAP. It should be a lot easier to manage than SSL certs.
David
Mike Matz wrote:
>
> Thanks for the help guys. It got me off to a great start. I have
> successfully created a user in my AD. As you already eluded to, I am
> struggling with the password attribute. Can the password attribute be
> set when creating a user. From what I gathered, the password
> attribute is 'unicodePwd'. This attribute cannot be created, it can
> only be modified. Is this attribute created by default when a user is
> created? Would I be able to do an add and then a modify to set the
> password? I am aware of the fact that there are certain restrictions
> in place in order to modify the password. I have setup my AD to
> include SSL and I am able to bind as Administrator over port 636.
> With that said one of the examples I ran across for adding a user
> refers to another attribute 'userPassword'. I am unable to tell what
> this attribute is. In the link below, it appears that the password is
> being set when the entry is added. I have tried this unsuccessfully.
> I appreicate all the help thus far.
> Regards,
> Mike
>
> Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html
>
>
> -----Original Message-----
> From: Geert Jansen [mailto:geert at boskant.nl]
> Sent: Wed 11/7/2007 1:50 PM
> To: Michael Ströder
> Cc: Mike Matz; python-ldap-dev at lists.sourceforge.net
> Subject: Re: Creating Active Directory Objects
>
> Michael Ströder wrote:
>
> > I vaguely remember that there are some issues with really activating a
> > user entry as a Windows user. But this is not a problem of accessing AD
> > via python-ldap.
> >
>
> This indeed rings a bell. You need to create the user as disabled (look
> for userAccountControl on MSDN), set a compliant password, and then
> enable him.
>
> Regards,
> Geert
>
--
David Leonard d at adaptive-enterprises.com.au
Ph:+61 404 844 850
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20071108/a232c11e/attachment.html>
More information about the python-ldap
mailing list