修改通过的ldapmodify Active Directory的密码 [英] Modifying Active Directory Passwords via ldapmodify

问题描述

我在研究各种LDAP操作的脚本。不过，我已经打了一下速度的碰撞与Active Directory用户创建。

I'm investigating the scripting of various LDAP operations. However, I've hit a bit of a speed bump with Active Directory user creation.

当我通过的ldapmodify 命令加载以下LDIF失败：

The following LDIF fails when I load it in via the ldapmodify command:

dn: CN=Frank,CN=Users,DC=domain,dc=local
changeType: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Frank
userPrincipalName: frank@domain.local
sAMAccountName: frank
givenName: Frank
sn: Stein
displayName: Frank Stein
description: Frankenstein's User
userAccountControl: 512
unicodePwd: "AnExamplePassword1!"

当试图通过LDIF添加用户，我用下面的命令：

When attempting to add the user via LDIF, I used the following command:

ldapmodify -H 'ldaps://<ip-of-server>:636' -D 'DOMAIN\Administrator' -x -W -f frank-add.ldif

这将失败，并出现以下错误：

This fails with the following error:

ldap_add: Server is unwilling to perform (53)
        additional info: 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

这是与密码策略，拒绝用户的一个问题。

This is a problem with the password policy denying the user.

但是，下面的Python脚本作品：

However, the following Python script works:

#!/usr/bin/python

import ldap
import ldap.modlist as modlist

AD_LDAP_URL='ldaps://<ip-of-server>:636'
ADMIN_USER='DOMAIN\Administrator'
# User must be authorized to create accounts, naturally.
ADMIN_PASSWORD='password for ADMIN_USER'
BASE_DN='dc=domain,dc=local'

username='frank'
firstname='Frank'
surname='Stein'
displayName = "Frank Stein"

password='AnExamplePassword1!'
# The value of password still needs to adhere to the domain's password policy.
unicode_pass = unicode('\"' + password + '\"', 'iso-8859-1')
password_value = unicode_pass.encode('utf-16-le')

l = ldap.initialize(AD_LDAP_URL)
l.simple_bind_s(ADMIN_USER, ADMIN_PASSWORD)

dn=str('CN=%s,CN=Users,DC=domain,dc=local' % firstname)

attrs = {}

attrs['objectclass'] = ['top','person','organizationalPerson','user']
attrs['cn'] = str(username)
attrs['sAMAccountname'] = str(username)
attrs['unicodePwd'] = str(password_value)
attrs['givenName'] = str(firstname)
attrs['sn'] = str(surname)
attrs['displayName'] = str(displayName)
attrs['description'] = str("Frankenstein's User")
attrs['userPrincipalName'] = str("%s@domain.local" % username)
attrs['userAccountControl'] = str(512)

ldif = modlist.addModlist(attrs)
l.add_s(dn,ldif)

使用Python脚本，我马上就能使用用户的密码（减去了逃脱了引号）签署。我仍然可以触发同不愿意执行靠捡像'密码'这是太简单密码错误。然而，在这种情况下，所使用的密码是相同的。

Using the Python script, I am immediately able to sign in using the user's password (minus the quotes that were escaped out). I can still trigger the same "Unwilling to Perform" error by picking a password like 'password' that is too simple. However, in this case the password being used is the same.

到目前为止，我所看到的，操作应该是相同的。打破LDIF文件不同的是，我处理，我需要括在，创建密码通过LDIF成功，如果我做一个禁用的账户userAccountControl的值设置为544，而不是包括密码引号的方式。然而，这意味着，我需要手动去重置用户口令。

So far as I can see, the operations should be identical. The difference that breaks the LDIF file is the way that I deal with the quotes that I need to enclose the password in. Creation via LDIF succeeds if I make a disabled account by setting the value of userAccountControl to 544 and not including a password. However, this means that I would need to manually go and reset the user's password.

到目前为止，我已经通过LDIF尝试以下密码格式：

So far, I've tried the following password formats via LDIF:

• 不带引号。
• 平原报价。
• 通过\
转义引号
• 通过ASCII转义引号：{\ 22}
• 使用Python为Base64恩code中的密码（带和不带引号，并修改 UNI codePWD :: 的LDIF格式）

• Without quotes.
• Plain quotes.
• Escaped quotes via \
• Escaped quotes via ASCII: {\22}
• Using Python to Base64-encode the password (With and without quotes, and with the format of the LDIF modified to unicodePwd::)

虽然我很高兴，我已经通过Python的添加用户的工作方式，我还是有点困惑如何使用LDIF文件和的ldapmodify 。有没有办法，我不考虑替代的方法？

While I'm happy that I have a working method of adding users via the Python, I'm still a bit confused about how to properly escape out password values when using LDIF files and ldapmodify. Is there an alternate method that I'm not considering?

推荐答案

为什么不使用LDIFDE和UNI code的base64 EN code中的密码，如下所述：的 http://support.microsoft.com/kb/263991

Why not use ldifde and unicode base64 encode the password as described here: http://support.microsoft.com/kb/263991

您python脚本似乎编码密码UNI code / BASE64。也许你的密码必须是EN codeD在ldif文件（用编码时引号），而不是纯文本，你在做你的榜样。

Your python script seems to be encoding the password as unicode / base64. Perhaps your password needs to be encoded in your ldif file (with the quotes when encoding) rather than plain text as you are doing in your example.

例如：

unicodePwd:: IgBBAG4ARQB4AGEAbQBwAGwAZQBQAGEAcwBzAHcAbwByAGQAMQAhACIA

为您提供的示例密码。

For the example password you provided.

这篇关于修改通过的ldapmodify Active Directory的密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！