On Tue, 25 Feb 2003, Andrew Petrov wrote:
> I got a lot more data, but not all the attributes (such as passwords).
>
> Anyone tried to use Net::LDAP for this?
Sure, lots and lots of people. Many, many threads on the
perl-dap.sourceforge.net lists.
AD does not store userpassword (except possibly if you use AD for UNIX) but
you can set password with something like this. AD will only allow you to do
this in a 128-bit encrypted session, which requires you to install a cert
in AD (or run the "magical" and dangerous Microsoft Certificate Service).
# See http://support.microsoft.com/?kbid=269190
# $passwddn/$passwdpw: bind info for a user with password reset privilege
# Net::LDAPS requires Net::SSLeay
$winldap = Net::LDAPS->new($domain_controller);
$msg = $winldap->bind($passwddn,
timeout => 7,
password => $passwdpw,
version => 3);
$quotepw = '"'.$cleartextpassword.'"'." ";
$unicodepwd = join("\0",split (//, $quotepw));
$result= $winldap->search(base => $win::domain,
filter => "(samaccountname=$uid)");
$entry->replace( 'unicodepwd' => $unicodepw );
$msg = $entry->update($unicodedpw);
Some vaguely related refs:
http://web.brandeis.edu/pages/view/Network/ActiveDirectoryTools
Original poster said:
> I am trying to access AD using ldapsearch like this:
> ldapsearch -x -h server -b "dc=our-domain,dc=com"
AD doesn't let you look at anything but schema without authenticating.
You might also need more specific queries. I'm not sure how, but I know our
AD refuses queries that would return too many results (not even a "partial
results; too many entries" error returned like OpenLDAP does).
If you're on a RedHat 8 box or any other reasonable system with kerberos
configured to point at your AD Kerberos domain, you can bind without a
password:
kinit && ldapsearch -Y GSSAPI -H ldap://domain.controller.com/ \
-b 'ou=users,dc=controller,dc=com' 'cn=joeschmo'
--
Rich Graves <rcgraves@brandeis.edu>
UNet Systems Administrator