Changing Passwords in Active Directory with ruby-net-ldap


#1

I am building an application in Rails using ruby-net-ldap and I am
trying to figure out how to change passwords in Active Directory. Does
anyone have any experience with this using the ruby-net-ldap gem? I know
that I remember seeing an example on the web somewhere that showed how
to do this using the depot application from the Rails book but for the
life of me I can’t find it again. :frowning: Any help would be greatly
appreciated.


#2

Try replace_attribute:
http://net-ldap.rubyforge.org/rdoc/classes/Net/LDAP.html#M000030

from rdoc example for updating mail attribute:

dn = “cn=modifyme,dc=example,dc=com”
ldap.replace_attribute dn, :mail, “removed_email_address@domain.invalid”

I haven’t worked with Active Directory specifically, so might be
quirks regarding updating password (pre-digested/-encoded first,
or …?) . Best to have other means of re-setting password while
testing what works.

Jeff

On Apr 21, 9:40 am, Justin G. removed_email_address@domain.invalid


#3

Justin,

Have you had any luck about this?

I’m having the same problem here…

TIA,

Sandro

Justin G. wrote:

I am building an application in Rails using ruby-net-ldap and I am
trying to figure out how to change passwords in Active Directory. Does
anyone have any experience with this using the ruby-net-ldap gem? I know
that I remember seeing an example on the web somewhere that showed how
to do this using the depot application from the Rails book but for the
life of me I can’t find it again. :frowning: Any help would be greatly
appreciated.


#4

Sandro Duarte wrote:

Justin,

Have you had any luck about this?

I’m having the same problem here…

TIA,

Sandro

Justin G. wrote:

I am building an application in Rails using ruby-net-ldap and I am
trying to figure out how to change passwords in Active Directory. Does
anyone have any experience with this using the ruby-net-ldap gem? I know
that I remember seeing an example on the web somewhere that showed how
to do this using the depot application from the Rails book but for the
life of me I can’t find it again. :frowning: Any help would be greatly
appreciated.

I did figure it out.

My explanation is as follows:

Convert your OLD and NEW passwords into some goofy kind of unicode.
Create a two element array (1. delete old password element, 2. Add new
password element) that modifies the unicodePwd attribute (represented as
:unicodePwd). Run an ldap modify on the proper dn for the user passing
it both operations from the array (if you need to know how to get the
user dn let me know but there are lots of examples out there.). If it
succeeds it will update the password!

def self.ct2uni(cleartextpwd)
quotepwd = ‘"’ + cleartextpwd + ‘"’
unicodepwd = Iconv.iconv(‘UTF-16LE’, ‘UTF-8’, quotepwd).first
return unicodepwd
end

oldUniPW = ct2uni( opassword )
newUniPW = ct2uni( newpass )

ops = [
[ :delete, :unicodePwd, [oldUniPW] ],
[ :add, :unicodePwd, [newUniPW] ]
]

unless( ldap_con.modify :dn => dn, :operations => ops )
ret[ :status ] = false
ret[ :message ] = “bad:!:Error changing password for user #{login}.”
return( ret )
end

Justin


#5

Thanks…

That did the trick.

Actually I used this code:

def microsoft_encode_password(pwd)
  ret = ""
  pwd = "\"" + pwd + "\""
  pwd.length.times{|i| ret+= "#{pwd[i..i]}\000" }
  ret
end

so you don’t need the Iconv dependency.

Thanks again,

Sandro

I did figure it out.

My explanation is as follows:

Convert your OLD and NEW passwords into some goofy kind of unicode.
Create a two element array (1. delete old password element, 2. Add new
password element) that modifies the unicodePwd attribute (represented as
:unicodePwd). Run an ldap modify on the proper dn for the user passing
it both operations from the array (if you need to know how to get the
user dn let me know but there are lots of examples out there.). If it
succeeds it will update the password!

def self.ct2uni(cleartextpwd)
quotepwd = ‘"’ + cleartextpwd + ‘"’
unicodepwd = Iconv.iconv(‘UTF-16LE’, ‘UTF-8’, quotepwd).first
return unicodepwd
end

oldUniPW = ct2uni( opassword )
newUniPW = ct2uni( newpass )

ops = [
[ :delete, :unicodePwd, [oldUniPW] ],
[ :add, :unicodePwd, [newUniPW] ]
]

unless( ldap_con.modify :dn => dn, :operations => ops )
ret[ :status ] = false
ret[ :message ] = “bad:!:Error changing password for user #{login}.”
return( ret )
end

Justin