Re: Creating Active Directory Objects
Hi, Mike I think AD uses an extension to the Kerberos protocol to change the password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx As far as I understand it, the unicodePwd attribute is the NT hash of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx). Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's LDAP. It should be a lot easier to manage than SSL certs. David Mike Matz wrote: Thanks for the help guys. It got me off to a great start. I have successfully created a user in my AD. As you already eluded to, I am struggling with the password attribute. Can the password attribute be set when creating a user. From what I gathered, the password attribute is 'unicodePwd'. This attribute cannot be created, it can only be modified. Is this attribute created by default when a user is created? Would I be able to do an add and then a modify to set the password? I am aware of the fact that there are certain restrictions in place in order to modify the password. I have setup my AD to include SSL and I am able to bind as Administrator over port 636. With that said one of the examples I ran across for adding a user refers to another attribute 'userPassword'. I am unable to tell what this attribute is. In the link below, it appears that the password is being set when the entry is added. I have tried this unsuccessfully. I appreicate all the help thus far. Regards, Mike Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html -Original Message- From: Geert Jansen [mailto:[EMAIL PROTECTED] Sent: Wed 11/7/2007 1:50 PM To: Michael Ströder Cc: Mike Matz; [email protected] Subject: Re: Creating Active Directory Objects Michael Ströder wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing AD > via python-ldap. > This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert -- David Leonard [EMAIL PROTECTED] Ph:+61 404 844 850 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: building better binary eggs
Hi, > I want to suggest another approach: there needs to be an .egg for > python-ldap that simply includes in the .so file, statically linked, > all of the libraries it needs - so that the OpenLDAP and OpenSSL > libraries just come "built in" and working, and don't rely on your > even having those libraries available on your OS, much less having > them working. I don't see any problems with this approach, except: - someone has to build and maintain those eggs - such static libraries are much overhead on systems having the appropriate dependencies available. Thinking of Linux one had (at least) to link in: * glibc (with all dependencies) * libssl + libcrypto * libsasl * libldap * liblber For my purposes the dynamically linked eggs work just great, and everyone who tried the windows egg, after installing the obvious depency OpenLDAP reported success so far. So, if you need static eggs, go ahead - I don't see much use... Regards, Torsten -- I'll give you a definite maybe. -Samuel Goldwyn - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
Thanks for your input David. I will read through the MSDN articles to see if they provide me with any inside. I am not familiar with using SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly provide me with a few steps to accomplish this? Thanks, Mike On Nov 8, 2007, at 7:48 AM, David Leonard wrote: Hi, Mike I think AD uses an extension to the Kerberos protocol to change the password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx As far as I understand it, the unicodePwd attribute is the NT hash of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx) . Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's LDAP. It should be a lot easier to manage than SSL certs. David Mike Matz wrote: Thanks for the help guys. It got me off to a great start. I have successfully created a user in my AD. As you already eluded to, I am struggling with the password attribute. Can the password attribute be set when creating a user. From what I gathered, the password attribute is 'unicodePwd'. This attribute cannot be created, it can only be modified. Is this attribute created by default when a user is created? Would I be able to do an add and then a modify to set the password? I am aware of the fact that there are certain restrictions in place in order to modify the password. I have setup my AD to include SSL and I am able to bind as Administrator over port 636. With that said one of the examples I ran across for adding a user refers to another attribute 'userPassword'. I am unable to tell what this attribute is. In the link below, it appears that the password is being set when the entry is added. I have tried this unsuccessfully. I appreicate all the help thus far. Regards, Mike Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html -Original Message- From: Geert Jansen [mailto:[EMAIL PROTECTED] Sent: Wed 11/7/2007 1:50 PM To: Michael Ströder Cc: Mike Matz; [email protected] Subject: Re: Creating Active Directory Objects Michael Ströder wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing AD > via python-ldap. > This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert -- David Leonard [EMAIL PROTECTED] Ph:+61 404 844 850 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
First step is configuring your platform's kerberos library so you can kinit against your AD server. You will need to read about krb5.conf and kinit, I suspect. Next step is getting a SASL-GSSAPI module installed so that SASL can access your Kerberos library (through its GSSAPI interface). This is a matter of package hunting usually. I'm assuming your OpenLDAP library has SASL support. Finally, you call ldap_sasl_bind to connect. I hope someone else can chime in here with an example of sasl binds with python-ldap. d Mike Matz wrote: Thanks for your input David. I will read through the MSDN articles to see if they provide me with any inside. I am not familiar with using SASL/GSSAPI/Kerberos to bind to AD's LDAP. Could you possibly provide me with a few steps to accomplish this? Thanks, Mike On Nov 8, 2007, at 7:48 AM, David Leonard wrote: Hi, Mike I think AD uses an extension to the Kerberos protocol to change the password of a user. See http://msdn2.microsoft.com/en-us/library/ms808911.aspx As far as I understand it, the unicodePwd attribute is the NT hash of the user's password. (See http://msdn2.microsoft.com/en-us/library/ms680513.aspx). Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's LDAP. It should be a lot easier to manage than SSL certs. David Mike Matz wrote: Thanks for the help guys. It got me off to a great start. I have successfully created a user in my AD. As you already eluded to, I am struggling with the password attribute. Can the password attribute be set when creating a user. From what I gathered, the password attribute is 'unicodePwd'. This attribute cannot be created, it can only be modified. Is this attribute created by default when a user is created? Would I be able to do an add and then a modify to set the password? I am aware of the fact that there are certain restrictions in place in order to modify the password. I have setup my AD to include SSL and I am able to bind as Administrator over port 636. With that said one of the examples I ran across for adding a user refers to another attribute 'userPassword'. I am unable to tell what this attribute is. In the link below, it appears that the password is being set when the entry is added. I have tried this unsuccessfully. I appreicate all the help thus far. Regards, Mike Example Add Entry - http://www.grotan.com/ldap/python-ldap-samples.html -Original Message- From: Geert Jansen [mailto:[EMAIL PROTECTED] Sent: Wed 11/7/2007 1:50 PM To: Michael Ströder Cc: Mike Matz; [email protected] Subject: Re: Creating Active Directory Objects Michael Ströder wrote: > I vaguely remember that there are some issues with really activating a > user entry as a Windows user. But this is not a problem of accessing AD > via python-ldap. > This indeed rings a bell. You need to create the user as disabled (look for userAccountControl on MSDN), set a compliant password, and then enable him. Regards, Geert -- David Leonard [EMAIL PROTECTED] Ph:+61 404 844 850 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev -- David Leonard [EMAIL PROTECTED] Ph:+61 404 844 850 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
David Leonard wrote: > > As far as I understand it, the unicodePwd attribute is the NT hash of > the user's password. I don't think so when setting it. Maybe it contains the NT hash afterwards, but conversion is probably done internally. http://support.microsoft.com/kb/269190 It seems you need to combine ldap.MOD_DELETE with old password and ldap.MOD_ADD with new password when setting unicodePwd yourself and ldap.MOD_REPLACE when setting it for another account. Additionally you have to use quotes around it. And furthermore it has to be UTF-16-encoded (low endian). MS docs are usually poorly written. > Also, you may want to look at using SASL/GSSAPI/Kerberos to bind to AD's > LDAP. It should be a lot easier to manage than SSL certs. The SSL certs are not used to bind to AD in this case. Rather they are just used to connect over SSL (ldaps://). Ciao, Michael. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
(repost from another address_
Here's something that may be useful in this conversation about AD
Objects. I wrote with some reference help a script to pack a SID as I
was creating the necessary objects to create AD accounts from python
using python-ldap:
"""
packsid
"""
import base64,struct
def packsid(textsid):
if textsid[0] != 'S':
return;
data = (textsid[2:]).split('-')
rev = int(data[0])
idauth = int(data[1])
subauthcount = len(data) - 2
packedsid = struct.pack("8B", rev, subauthcount, 0, 0, 0, 0, 0,
idauth)
for i in range(0,subauthcount):
addpack = struct.pack(" Michael Ströder wrote:
>
>> I vaguely remember that there are some issues with really
>> activating a
>> user entry as a Windows user. But this is not a problem of
>> accessing AD
>> via python-ldap.
>>
>
> This indeed rings a bell. You need to create the user as disabled
> (look
> for userAccountControl on MSDN), set a compliant password, and then
> enable him.
>
> Regards,
> Geert
>
> --
> ---
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems? Stop.
> Now Search log events and configuration files using AJAX and a
> browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> ___
> Python-LDAP-dev mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
-
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
___
Python-LDAP-dev mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
David Leonard wrote: > I hope someone else can > chime in here with an example of sasl binds with python-ldap. See: Demo/sasl_bind.py Ciao, Michael. - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
> > Mike Matz wrote: >> >> Thanks for the help guys. It got me off to a great start. I have >> successfully created a user in my AD. As you already eluded to, I am >> struggling with the password attribute. Can the password attribute >> be set when creating a user. From what I gathered, the password >> attribute is 'unicodePwd'. >> Forget about using LDAP to change a user's password. It can be done but it requires 128-bit SSL and so you need to set up certificate services and distribute the CA certificate to your client. An easier way is to use the Kerberos Set Password protocol (RFC3244). MIT Kerberos 1.3 and later support this protocol. Unfortunately there is no command-line interface to this call so you need to create a Python extension module for wrapping this call. My (in progress) project FreeADI contains a wrapper for the Set Password call. See the file "/trunk/freeadi/core/_krb5.c" on my Trac page at freeadi.org. The code is available under the liberal MIT license. The "userPassword" attribute is the Unix shadow hash, and is not used for Kerberos. Regards, Geert - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ ___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
Re: Creating Active Directory Objects
Michael Ströder wrote: David Leonard wrote: I hope someone else can chime in here with an example of sasl binds with python-ldap. See: Demo/sasl_bind.py oops, of course! thanks michael :) -- David Leonard [EMAIL PROTECTED] Ph:+61 404 844 850 - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/___ Python-LDAP-dev mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/python-ldap-dev
