Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I reset my LDAP password from Perl?

My company, like everyone else's, requires password resets from time to time. This is all good and well for security's sake, but I'd like to explore the challenge of resetting it through a script (notably because we can't use our previous 25 passwords; Perl is much quicker about cycling through a list two-dozen deep than my fingers are).

I'm trying to use Perl and Win32::OLE's LDAP connectors to reset my password. I've followed a couple of examples online, and have, briefly:

use strict;
use Win32::OLE;

my $dn        = 'cn=name,dc=corp,dc=com';
my $ldap      = Win32::OLE->GetObject('LDAP:');
my $ldap_user = $ldap->OpenDSObject('LDAP://' . $dn,'username','password',1);

$ldap_user->SetPassword('mySw337NewPassword');

And all I get for my troubles is:

Win32::OLE(0.1707) error 0x80070005: "Access is denied"
     in METHOD/PROPERTYGET "SetPassword" at pw.change.pl line 8

Is this something that can be worked around? I've located the Net::LDAP::Extension::SetPassword module, but no dice there.

Thanks!

Update for Leon (Max, you're next):

You're correct, I should have specified better. I tried Win32::OLE, failed, then separately tried Net::LDAP::Extension::SetPassword and failed even harder.

As for my server: I'm not certain, I'm not the LDAP guy :) By running ->root_dse->get_value('supportedExtension') I can see that the setPassword OID is not set, so maybe it's just not meant to be.

Final props to barneyton!

Final solution:

use strict;
use Win32::OLE;

my $orig_password   = 'password123Test';
my $target_password = 'password321Test';

my $dn        = 'cn=myname,dc=corp,dc=com';
my $ldap      = Win32::OLE->GetObject('LDAP:');
my $ldap_user = $ldap->OpenDSObject('LDAP://'.$dn,'myname',$orig_password,1);

my $tmp_password = '';
for ( my $i = 0; $i < 30; ++$i )
{
    $tmp_password = 'password' . $i . 'ABC';    
    print 'Changing to ' . $tmp_password . "\n";

    $ldap_user->ChangePassword($orig_password,$tmp_password);
    $orig_password = $tmp_password;

    sleep 1;
}

$ldap_user->ChangePassword($tmp_password,$target_password);
like image 529
kyle Avatar asked Mar 01 '23 01:03

kyle


1 Answers

When you said you were trying to "reset" your password, I think you really meant change password rather than set password. There is a difference between the two. "SetPassword" requires god/admin privilege since you are setting a user's password to a new value regardless of whether the old password is known, while "ChangePassword" requires the user to actually know the old password. I'm assuming your account does not have admin privilege, else you would not have gotten 0x80070005: "Access is denied"

So instead of:

$ldap_user->SetPassword('mySw337NewPassword');

try this:

$ldap_user->ChangePassword('password', 'mySw337NewPassword');

By the way, I've never done this stuff in perl, so I'm just guessing. Hope this helps you out.

like image 122
barneytron Avatar answered Mar 11 '23 18:03

barneytron