How do I reset my LDAP password from Perl?

Question

Hi all,

My company, like everyone else's, requires password resets from time to time. This is all good and well for security's sake, but I'd like to explore the challenge of resetting it through a script (notably because we can't use our previous 25 passwords; Perl is much quicker about cycling through a list two-dozen deep than my fingers are).

I'm trying to use Perl and Win32::OLE's LDAP connectors to reset my password. I've followed a couple of examples online, and have, briefly:

use strict;
use Win32::OLE;

my $dn        = 'cn=name,dc=corp,dc=com';
my $ldap      = Win32::OLE->GetObject('LDAP:');
my $ldap_user = $ldap->OpenDSObject('LDAP://' . $dn,'username','password',1);

$ldap_user->SetPassword('mySw337NewPassword');

And all I get for my troubles is:

Win32::OLE(0.1707) error 0x80070005: "Access is denied"
     in METHOD/PROPERTYGET "SetPassword" at pw.change.pl line 8

Is this something that can be worked around? I've located the Net::LDAP::Extension::SetPassword module, but no dice there.

Thanks!

Update for Leon (Max, you're next):

You're correct, I should have specified better. I tried Win32::OLE, failed, then separately tried Net::LDAP::Extension::SetPassword and failed even harder.

As for my server: I'm not certain, I'm not the LDAP guy :) By running ->root_dse->get_value('supportedExtension') I can see that the setPassword OID is not set, so maybe it's just not meant to be.

Final props to barneyton!

Final solution:

use strict;
use Win32::OLE;

my $orig_password   = 'password123Test';
my $target_password = 'password321Test';

my $dn        = 'cn=myname,dc=corp,dc=com';
my $ldap      = Win32::OLE->GetObject('LDAP:');
my $ldap_user = $ldap->OpenDSObject('LDAP://'.$dn,'myname',$orig_password,1);

my $tmp_password = '';
for ( my $i = 0; $i < 30; ++$i )
{
    $tmp_password = 'password' . $i . 'ABC';    
    print 'Changing to ' . $tmp_password . "\n";

    $ldap_user->ChangePassword($orig_password,$tmp_password);
    $orig_password = $tmp_password;

    sleep 1;
}

$ldap_user->ChangePassword($tmp_password,$target_password);

Answer 1

Net::LDAP::Extension::SetPassword doesn't have anything to do with any OLE LDAP object. Either you use Net::LDAP, or you use Win32::OLE->GetObject('LDAP:').

You didn't mention what server you're using. Setting passwords requires an extension to LDAP, so that is relevant.

Answer 2

You could try to write the value to userPassword which would be a password reset, and you might not have rights to do that.

Otherwise you could try in one operation (LDIF would show it as separated by a single dash on a line) remove the value of the old password and then add the value of the new password. That would be a password change event.

Answer 3

When you said you were trying to "reset" your password, I think you really meant change password rather than set password. There is a difference between the two. "SetPassword" requires god/admin privilege since you are setting a user's password to a new value regardless of whether the old password is known, while "ChangePassword" requires the user to actually know the old password. I'm assuming your account does not have admin privilege, else you would not have gotten 0x80070005: "Access is denied"

So instead of:

$ldap_user->SetPassword('mySw337NewPassword');

try this:

$ldap_user->ChangePassword('password', 'mySw337NewPassword');

By the way, I've never done this stuff in perl, so I'm just guessing. Hope this helps you out.

Answer 4

Another thing to keep in mind is Active Directory does not let you set passwords unless you bind to port 636 using LDAPS.