修改通过的ldapmodify Active Directory的密码 [英] Modifying Active Directory Passwords via ldapmodify
问题描述
我在研究各种LDAP操作的脚本。不过,我已经打了一下速度的碰撞与Active Directory用户创建。
I'm investigating the scripting of various LDAP operations. However, I've hit a bit of a speed bump with Active Directory user creation.
当我通过的ldapmodify
命令加载以下LDIF失败:
The following LDIF fails when I load it in via the ldapmodify
command:
dn: CN=Frank,CN=Users,DC=domain,dc=local
changeType: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Frank
userPrincipalName: frank@domain.local
sAMAccountName: frank
givenName: Frank
sn: Stein
displayName: Frank Stein
description: Frankenstein's User
userAccountControl: 512
unicodePwd: "AnExamplePassword1!"
当试图通过LDIF添加用户,我用下面的命令:
When attempting to add the user via LDIF, I used the following command:
ldapmodify -H 'ldaps://<ip-of-server>:636' -D 'DOMAIN\Administrator' -x -W -f frank-add.ldif
这将失败,并出现以下错误:
This fails with the following error:
ldap_add: Server is unwilling to perform (53)
additional info: 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0
这是与密码策略,拒绝用户的一个问题。
This is a problem with the password policy denying the user.
但是,下面的Python脚本作品:
However, the following Python script works:
#!/usr/bin/python
import ldap
import ldap.modlist as modlist
AD_LDAP_URL='ldaps://<ip-of-server>:636'
ADMIN_USER='DOMAIN\Administrator'
# User must be authorized to create accounts, naturally.
ADMIN_PASSWORD='password for ADMIN_USER'
BASE_DN='dc=domain,dc=local'
username='frank'
firstname='Frank'
surname='Stein'
displayName = "Frank Stein"
password='AnExamplePassword1!'
# The value of password still needs to adhere to the domain's password policy.
unicode_pass = unicode('\"' + password + '\"', 'iso-8859-1')
password_value = unicode_pass.encode('utf-16-le')
l = ldap.initialize(AD_LDAP_URL)
l.simple_bind_s(ADMIN_USER, ADMIN_PASSWORD)
dn=str('CN=%s,CN=Users,DC=domain,dc=local' % firstname)
attrs = {}
attrs['objectclass'] = ['top','person','organizationalPerson','user']
attrs['cn'] = str(username)
attrs['sAMAccountname'] = str(username)
attrs['unicodePwd'] = str(password_value)
attrs['givenName'] = str(firstname)
attrs['sn'] = str(surname)
attrs['displayName'] = str(displayName)
attrs['description'] = str("Frankenstein's User")
attrs['userPrincipalName'] = str("%s@domain.local" % username)
attrs['userAccountControl'] = str(512)
ldif = modlist.addModlist(attrs)
l.add_s(dn,ldif)
使用Python脚本,我马上就能使用用户的密码(减去了逃脱了引号)签署。我仍然可以触发同不愿意执行靠捡像'密码'这是太简单密码错误。然而,在这种情况下,所使用的密码是相同的。
Using the Python script, I am immediately able to sign in using the user's password (minus the quotes that were escaped out). I can still trigger the same "Unwilling to Perform" error by picking a password like 'password' that is too simple. However, in this case the password being used is the same.
到目前为止,我所看到的,操作应该是相同的。打破LDIF文件不同的是,我处理,我需要括在,创建密码通过LDIF成功,如果我做一个禁用的账户userAccountControl的值设置为544,而不是包括密码引号的方式。然而,这意味着,我需要手动去重置用户口令。
So far as I can see, the operations should be identical. The difference that breaks the LDIF file is the way that I deal with the quotes that I need to enclose the password in. Creation via LDIF succeeds if I make a disabled account by setting the value of userAccountControl to 544 and not including a password. However, this means that I would need to manually go and reset the user's password.
到目前为止,我已经通过LDIF尝试以下密码格式:
So far, I've tried the following password formats via LDIF:
- 不带引号。
- 平原报价。
- 通过\ 转义引号
- 通过ASCII转义引号:{\ 22}
- 使用Python为Base64恩code中的密码(带和不带引号,并修改
UNI codePWD ::
的LDIF格式)
- Without quotes.
- Plain quotes.
- Escaped quotes via \
- Escaped quotes via ASCII: {\22}
- Using Python to Base64-encode the password (With and without quotes, and with the format of the LDIF modified to
unicodePwd::
)
虽然我很高兴,我已经通过Python的添加用户的工作方式,我还是有点困惑如何使用LDIF文件和的ldapmodify 得当逃脱出来的密码值code>。有没有办法,我不考虑替代的方法?
While I'm happy that I have a working method of adding users via the Python, I'm still a bit confused about how to properly escape out password values when using LDIF files and ldapmodify
. Is there an alternate method that I'm not considering?
推荐答案
为什么不使用LDIFDE和UNI code的base64 EN code中的密码,如下所述:的 http://support.microsoft.com/kb/263991
Why not use ldifde and unicode base64 encode the password as described here: http://support.microsoft.com/kb/263991
您python脚本似乎编码密码UNI code / BASE64。也许你的密码必须是EN codeD在ldif文件(用编码时引号),而不是纯文本,你在做你的榜样。
Your python script seems to be encoding the password as unicode / base64. Perhaps your password needs to be encoded in your ldif file (with the quotes when encoding) rather than plain text as you are doing in your example.
例如:
unicodePwd:: IgBBAG4ARQB4AGEAbQBwAGwAZQBQAGEAcwBzAHcAbwByAGQAMQAhACIA
为您提供的示例密码。
For the example password you provided.
这篇关于修改通过的ldapmodify Active Directory的密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!