Justin Grudzien
2009-Apr-21 16:40 UTC
Changing Passwords in Active Directory with ruby-net-ldap
I am building an application in Rails using ruby-net-ldap and I am trying to figure out how to change passwords in Active Directory. Does anyone have any experience with this using the ruby-net-ldap gem? I know that I remember seeing an example on the web somewhere that showed how to do this using the depot application from the Rails book but for the life of me I can''t find it again. :( Any help would be greatly appreciated. -- Posted via http://www.ruby-forum.com/.
Jeff Lewis
2009-Apr-22 16:25 UTC
Re: Changing Passwords in Active Directory with ruby-net-ldap
Try replace_attribute: http://net-ldap.rubyforge.org/rdoc/classes/Net/LDAP.html#M000030 from rdoc example for updating mail attribute: dn = "cn=modifyme,dc=example,dc=com" ldap.replace_attribute dn, :mail, "newmailaddress-hcDgGtZH8xNBDgjK7y7TUQ@public.gmane.org" I haven''t worked with Active Directory specifically, so might be quirks regarding updating password (pre-digested/-encoded first, or ...?) . Best to have other means of re-setting password while testing what works. Jeff On Apr 21, 9:40 am, Justin Grudzien <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> I am building an application in Rails using ruby-net-ldap and I am > trying to figure out how to change passwords in Active Directory. Does > anyone have any experience with this using the ruby-net-ldap gem? I know > that I remember seeing an example on the web somewhere that showed how > to do this using the depot application from the Rails book but for the > life of me I can''t find it again. :( Any help would be greatly > appreciated. > -- > Posted viahttp://www.ruby-forum.com/.
Sandro Duarte
2009-Sep-03 18:40 UTC
Re: Changing Passwords in Active Directory with ruby-net-ldap
Justin, Have you had any luck about this? I''m having the same problem here... TIA, Sandro Justin Grudzien wrote:> I am building an application in Rails using ruby-net-ldap and I am > trying to figure out how to change passwords in Active Directory. Does > anyone have any experience with this using the ruby-net-ldap gem? I know > that I remember seeing an example on the web somewhere that showed how > to do this using the depot application from the Rails book but for the > life of me I can''t find it again. :( Any help would be greatly > appreciated.-- Posted via http://www.ruby-forum.com/.
Justin Grudzien
2009-Sep-03 21:34 UTC
Re: Changing Passwords in Active Directory with ruby-net-ldap
Sandro Duarte wrote:> Justin, > > Have you had any luck about this? > > I''m having the same problem here... > > TIA, > > Sandro > > Justin Grudzien wrote: >> I am building an application in Rails using ruby-net-ldap and I am >> trying to figure out how to change passwords in Active Directory. Does >> anyone have any experience with this using the ruby-net-ldap gem? I know >> that I remember seeing an example on the web somewhere that showed how >> to do this using the depot application from the Rails book but for the >> life of me I can''t find it again. :( Any help would be greatly >> appreciated.I did figure it out. My explanation is as follows: Convert your OLD and NEW passwords into some goofy kind of unicode. Create a two element array (1. delete old password element, 2. Add new password element) that modifies the unicodePwd attribute (represented as :unicodePwd). Run an ldap modify on the proper dn for the user passing it both operations from the array (if you need to know how to get the user dn let me know but there are lots of examples out there.). If it succeeds it will update the password! def self.ct2uni(cleartextpwd) quotepwd = ''"'' + cleartextpwd + ''"'' unicodepwd = Iconv.iconv(''UTF-16LE'', ''UTF-8'', quotepwd).first return unicodepwd end oldUniPW = ct2uni( opassword ) newUniPW = ct2uni( newpass ) ops = [ [ :delete, :unicodePwd, [oldUniPW] ], [ :add, :unicodePwd, [newUniPW] ] ] unless( ldap_con.modify :dn => dn, :operations => ops ) ret[ :status ] = false ret[ :message ] = "bad:!:Error changing password for user #{login}." return( ret ) end Justin -- Posted via http://www.ruby-forum.com/.
Sandro Duarte
2009-Sep-03 22:12 UTC
Re: Changing Passwords in Active Directory with ruby-net-ldap
Thanks...
That did the trick.
Actually I used this code:
def microsoft_encode_password(pwd)
ret = ""
pwd = "\"" + pwd + "\""
pwd.length.times{|i| ret+= "#{pwd[i..i]}\000" }
ret
end
so you don''t need the Iconv dependency.
Thanks again,
Sandro>
> I did figure it out.
>
> My explanation is as follows:
>
> Convert your OLD and NEW passwords into some goofy kind of unicode.
> Create a two element array (1. delete old password element, 2. Add new
> password element) that modifies the unicodePwd attribute (represented as
> :unicodePwd). Run an ldap modify on the proper dn for the user passing
> it both operations from the array (if you need to know how to get the
> user dn let me know but there are lots of examples out there.). If it
> succeeds it will update the password!
>
>
> def self.ct2uni(cleartextpwd)
> quotepwd = ''"'' + cleartextpwd +
''"''
> unicodepwd = Iconv.iconv(''UTF-16LE'',
''UTF-8'', quotepwd).first
> return unicodepwd
> end
>
> oldUniPW = ct2uni( opassword )
> newUniPW = ct2uni( newpass )
>
> ops = [
> [ :delete, :unicodePwd, [oldUniPW] ],
> [ :add, :unicodePwd, [newUniPW] ]
> ]
>
> unless( ldap_con.modify :dn => dn, :operations => ops )
> ret[ :status ] = false
> ret[ :message ] = "bad:!:Error changing password for user
#{login}."
> return( ret )
> end
>
> Justin
--
Posted via http://www.ruby-forum.com/.
Possibly Parallel Threads
- Creating domain users in AD from Linux
- ssh login
- Allow self password change using LDAP(s) with Samba4
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"
- How to set `unicodePwd`? "it's not allowed to set the NT hash password directly"