Forum: Ruby on Rails Changing Passwords in Active Directory with ruby-net-ldap

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Justin G. (Guest)
on 2009-04-21 20:40
I am building an application in Rails using ruby-net-ldap and I am
trying to figure out how to change passwords in Active Directory. Does
anyone have any experience with this using the ruby-net-ldap gem? I know
that I remember seeing an example on the web somewhere that showed how
to do this using the depot application from the Rails book but for the
life of me I can't find it again. :( Any help would be greatly
appreciated.
Jeff B. (Guest)
on 2009-04-22 20:27
(Received via mailing list)
Try replace_attribute:
http://net-ldap.rubyforge.org/rdoc/classes/Net/LDA...

from rdoc example for updating mail attribute:

  dn = "cn=modifyme,dc=example,dc=com"
  ldap.replace_attribute dn, :mail, "removed_email_address@domain.invalid"

I haven't worked with Active Directory specifically, so might be
quirks regarding updating password (pre-digested/-encoded first,
or ...?) .  Best to have other means of re-setting password while
testing what works.

Jeff

On Apr 21, 9:40 am, Justin G. <removed_email_address@domain.invalid>
Sandro D. (Guest)
on 2009-09-03 22:40
Justin,

Have you had any luck about this?

I'm having the same problem here...

TIA,

Sandro

Justin G. wrote:
> I am building an application in Rails using ruby-net-ldap and I am
> trying to figure out how to change passwords in Active Directory. Does
> anyone have any experience with this using the ruby-net-ldap gem? I know
> that I remember seeing an example on the web somewhere that showed how
> to do this using the depot application from the Rails book but for the
> life of me I can't find it again. :( Any help would be greatly
> appreciated.
Justin G. (Guest)
on 2009-09-04 01:34
Sandro Duarte wrote:
> Justin,
>
> Have you had any luck about this?
>
> I'm having the same problem here...
>
> TIA,
>
> Sandro
>
> Justin G. wrote:
>> I am building an application in Rails using ruby-net-ldap and I am
>> trying to figure out how to change passwords in Active Directory. Does
>> anyone have any experience with this using the ruby-net-ldap gem? I know
>> that I remember seeing an example on the web somewhere that showed how
>> to do this using the depot application from the Rails book but for the
>> life of me I can't find it again. :( Any help would be greatly
>> appreciated.

I did figure it out.

My explanation is as follows:

Convert your OLD and NEW passwords into some goofy kind of unicode.
Create a two element array (1. delete old password element, 2. Add new
password element) that modifies the unicodePwd attribute (represented as
:unicodePwd). Run an ldap modify on the proper dn for the user passing
it both operations from the array (if you need to know how to get the
user dn let me know but there are lots of examples out there.). If it
succeeds it will update the password!


def self.ct2uni(cleartextpwd)
    quotepwd = '"' + cleartextpwd + '"'
    unicodepwd = Iconv.iconv('UTF-16LE', 'UTF-8', quotepwd).first
    return unicodepwd
end

oldUniPW = ct2uni( opassword )
newUniPW = ct2uni( newpass )

ops = [
    [ :delete, :unicodePwd, [oldUniPW] ],
    [ :add, :unicodePwd, [newUniPW] ]
]

unless( ldap_con.modify :dn => dn, :operations => ops )
    ret[ :status ] = false
    ret[ :message ] = "bad:!:Error changing password for user #{login}."
    return( ret )
end

Justin
Sandro D. (Guest)
on 2009-09-04 02:12
Thanks...

That did the trick.

Actually I used this code:

    def microsoft_encode_password(pwd)
      ret = ""
      pwd = "\"" + pwd + "\""
      pwd.length.times{|i| ret+= "#{pwd[i..i]}\000" }
      ret
    end

so you don't need the Iconv dependency.

Thanks again,

Sandro
>
> I did figure it out.
>
> My explanation is as follows:
>
> Convert your OLD and NEW passwords into some goofy kind of unicode.
> Create a two element array (1. delete old password element, 2. Add new
> password element) that modifies the unicodePwd attribute (represented as
> :unicodePwd). Run an ldap modify on the proper dn for the user passing
> it both operations from the array (if you need to know how to get the
> user dn let me know but there are lots of examples out there.). If it
> succeeds it will update the password!
>
>
> def self.ct2uni(cleartextpwd)
>     quotepwd = '"' + cleartextpwd + '"'
>     unicodepwd = Iconv.iconv('UTF-16LE', 'UTF-8', quotepwd).first
>     return unicodepwd
> end
>
> oldUniPW = ct2uni( opassword )
> newUniPW = ct2uni( newpass )
>
> ops = [
>     [ :delete, :unicodePwd, [oldUniPW] ],
>     [ :add, :unicodePwd, [newUniPW] ]
> ]
>
> unless( ldap_con.modify :dn => dn, :operations => ops )
>     ret[ :status ] = false
>     ret[ :message ] = "bad:!:Error changing password for user #{login}."
>     return( ret )
> end
>
> Justin
This topic is locked and can not be replied to.