Creating Active Directory Objects

David Leonard d at adaptive-enterprises.com.au
Thu Nov 8 13:48:20 CET 2007 

Hi, Mike

I think AD uses an extension to the Kerberos protocol to change the 
password of a user. See 
http://msdn2.microsoft.com/en-us/library/ms808911.aspx
As far as I understand it, the unicodePwd attribute is the NT hash of 
the user's password. (See 
http://msdn2.microsoft.com/en-us/library/ms680513.aspx).
Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's 
LDAP. It should be a lot easier to manage than SSL certs.

David

Mike Matz wrote:
>
> Thanks for the help guys.  It got me off to a great start.  I have 
> successfully created a user in my AD.  As you already eluded to, I am 
> struggling with the password attribute.  Can the password attribute be 
> set when creating a user.  From what I gathered, the password 
> attribute is 'unicodePwd'.  This attribute cannot be created, it can 
> only be modified.  Is this attribute created by default when a user is 
> created?  Would I be able to do an add and then a modify to set the 
> password?  I am aware of the fact that there are certain restrictions 
> in place in order to modify the password.  I have setup my AD to 
> include SSL and I am able to bind as Administrator over port 636.  
> With that said one of the examples I ran across for adding a user 
> refers to another attribute 'userPassword'.  I am unable to tell what 
> this attribute is.  In the link below, it appears that the password is 
> being set when the entry is added.  I have tried this unsuccessfully.  
> I appreicate all the help thus far.
> Regards,
> Mike
>
> Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html
>
>
> -----Original Message-----
> From: Geert Jansen [mailto:geert at boskant.nl]
> Sent: Wed 11/7/2007 1:50 PM
> To: Michael Ströder
> Cc: Mike Matz; python-ldap-dev at lists.sourceforge.net
> Subject: Re: Creating Active Directory Objects
>
> Michael Ströder wrote:
>
> > I vaguely remember that there are some issues with really activating a
> > user entry as a Windows user. But this is not a problem of accessing AD
> > via python-ldap.
> >  
>
> This indeed rings a bell. You need to create the user as disabled (look
> for userAccountControl on MSDN), set a compliant password, and then
> enable him.
>
> Regards,
> Geert
>

-- 
David Leonard                           d at adaptive-enterprises.com.au
                                        Ph:+61 404 844 850

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ldap/attachments/20071108/a232c11e/attachment.html>

More information about the python-ldap mailing list