通过 ldapmodify 修改 Active Directory 密码

2023-02-03 20:00:42 other 阅读:458
本文介绍了通过 ldapmodify 修改 Active Directory 密码的处理方法,对大家解决问题具有一定的参考价值

问题描述

我正在研究各种 LDAP 操作的脚本.但是,我在创建 Active Directory 用户时遇到了一些障碍.

I'm investigating the scripting of various LDAP operations. However, I've hit a bit of a speed bump with Active Directory user creation.

当我通过 ldapmodify 命令加载以下 LDIF 时失败:

The following LDIF fails when I load it in via the ldapmodify command:

dn: CN=Frank,CN=Users,DC=domain,dc=local
changeType: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Frank
userPrincipalName: frank@domain.local
sAMAccountName: frank
givenName: Frank
sn: Stein
displayName: Frank Stein
description: Frankenstein's User
userAccountControl: 512
unicodePwd: "AnExamplePassword1!"

当尝试通过 LDIF 添加用户时,我使用了以下命令:

When attempting to add the user via LDIF, I used the following command:

ldapmodify -H 'ldaps://<ip-of-server>:636' -D 'DOMAINAdministrator' -x -W -f frank-add.ldif

这会失败并出现以下错误:

This fails with the following error:

ldap_add: Server is unwilling to perform (53)
        additional info: 0000001F: SvcErr: DSID-031A120C, problem 5003 (WILL_NOT_PERFORM), data 0

这是密码策略拒绝用户的问题.

This is a problem with the password policy denying the user.

但是,以下 Python 脚本可以工作:

However, the following Python script works:

#!/usr/bin/python

import ldap
import ldap.modlist as modlist

AD_LDAP_URL='ldaps://<ip-of-server>:636'
ADMIN_USER='DOMAINAdministrator'
# User must be authorized to create accounts, naturally.
ADMIN_PASSWORD='password for ADMIN_USER'
BASE_DN='dc=domain,dc=local'

username='frank'
firstname='Frank'
surname='Stein'
displayName = "Frank Stein"

password='AnExamplePassword1!'
# The value of password still needs to adhere to the domain's password policy.
unicode_pass = unicode('"' + password + '"', 'iso-8859-1')
password_value = unicode_pass.encode('utf-16-le')

l = ldap.initialize(AD_LDAP_URL)
l.simple_bind_s(ADMIN_USER, ADMIN_PASSWORD)

dn=str('CN=%s,CN=Users,DC=domain,dc=local' % firstname)

attrs = {}

attrs['objectclass'] = ['top','person','organizationalPerson','user']
attrs['cn'] = str(username)
attrs['sAMAccountname'] = str(username)
attrs['unicodePwd'] = str(password_value)
attrs['givenName'] = str(firstname)
attrs['sn'] = str(surname)
attrs['displayName'] = str(displayName)
attrs['description'] = str("Frankenstein's User")
attrs['userPrincipalName'] = str("%s@domain.local" % username)
attrs['userAccountControl'] = str(512)

ldif = modlist.addModlist(attrs)
l.add_s(dn,ldif)

使用 Python 脚本,我可以立即使用用户密码(减去转义的引号)登录.我仍然可以通过选择太简单的密码(例如密码")来触发相同的不愿意执行"错误.但是,在这种情况下,使用的密码是相同的.

Using the Python script, I am immediately able to sign in using the user's password (minus the quotes that were escaped out). I can still trigger the same "Unwilling to Perform" error by picking a password like 'password' that is too simple. However, in this case the password being used is the same.

据我所知,操作应该是相同的.破坏 LDIF 文件的不同之处在于我处理包含密码所需的引号的方式.如果我通过将 userAccountControl 的值设置为 544 并且不包括密码来创建禁用帐户,则通过 LDIF 创建成功.但是,这意味着我需要手动去重置用户的密码.

So far as I can see, the operations should be identical. The difference that breaks the LDIF file is the way that I deal with the quotes that I need to enclose the password in. Creation via LDIF succeeds if I make a disabled account by setting the value of userAccountControl to 544 and not including a password. However, this means that I would need to manually go and reset the user's password.

到目前为止,我已经通过 LDIF 尝试了以下密码格式:

So far, I've tried the following password formats via LDIF:

  • 不带引号.
  • 单引号.
  • 通过 转义引号
  • 通过 ASCII 转义的引号:{22}
  • 使用Python对密码进行Base64编码(带引号和不带引号,LDIF格式修改为unicodePwd::)

虽然我很高兴我有一种通过 Python 添加用户的工作方法,但我仍然对在使用 LDIF 文件和 ldapmodify 时如何正确转义密码值感到有些困惑.有没有我没有考虑的替代方法?

While I'm happy that I have a working method of adding users via the Python, I'm still a bit confused about how to properly escape out password values when using LDIF files and ldapmodify. Is there an alternate method that I'm not considering?

推荐答案

为什么不使用 ldifde 和 unicode base64 对密码进行编码,如下所述:http://support.microsoft.com/kb/263991

Why not use ldifde and unicode base64 encode the password as described here: http://support.microsoft.com/kb/263991

您的 python 脚本似乎将密码编码为 un​​icode/base64.也许您的密码需要在您的 ldif 文件中进行编码(编码时使用引号),而不是像您在示例中那样使用纯文本.

Your python script seems to be encoding the password as unicode / base64. Perhaps your password needs to be encoded in your ldif file (with the quotes when encoding) rather than plain text as you are doing in your example.

例如:

unicodePwd:: IgBBAG4ARQB4AGEAbQBwAGwAZQBQAGEAcwBzAHcAbwByAGQAMQAhACIA

对于您提供的示例密码.

For the example password you provided.

这篇关于通过 ldapmodify 修改 Active Directory 密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,WP2

admin_action_{$_REQUEST[‘action’]}

do_action( "admin_action_{$_REQUEST[‘action’]}" )动作钩子::在发送“Action”请求变量时激发。Action Hook: Fires when an ‘action’ request variable is sent.目录锚点:#说明#源码说明(Description)钩子名称的动态部分$_REQUEST['action']引用从GET或POST请求派生的操作。源码(Source)更新版本源码位置使用被使用2.6.0 wp-admin/admin.php:...

日期:2020-09-02 17:44:16 浏览:1157

admin_footer-{$GLOBALS[‘hook_suffix’]}

do_action( "admin_footer-{$GLOBALS[‘hook_suffix’]}", string $hook_suffix )操作挂钩:在默认页脚脚本之后打印脚本或数据。Action Hook: Print scripts or data after the default footer scripts.目录锚点:#说明#参数#源码说明(Description)钩子名的动态部分,$GLOBALS['hook_suffix']引用当前页的全局钩子后缀。参数(Parameters)参数类...

日期:2020-09-02 17:44:20 浏览:1057

customize_save_{$this->id_data[‘base’]}

do_action( "customize_save_{$this-&gt;id_data[‘base’]}", WP_Customize_Setting $this )动作钩子::在调用WP_Customize_Setting::save()方法时激发。Action Hook: Fires when the WP_Customize_Setting::save() method is called.目录锚点:#说明#参数#源码说明(Description)钩子名称的动态部分,$this->id_data...

日期:2020-08-15 15:47:24 浏览:798

customize_value_{$this->id_data[‘base’]}

apply_filters( "customize_value_{$this-&gt;id_data[‘base’]}", mixed $default )过滤器::过滤未作为主题模式或选项处理的自定义设置值。Filter Hook: Filter a Customize setting value not handled as a theme_mod or option.目录锚点:#说明#参数#源码说明(Description)钩子名称的动态部分,$this->id_date['base'],指的是设置...

日期:2020-08-15 15:47:24 浏览:883

get_comment_author_url

过滤钩子:过滤评论作者的URL。Filter Hook: Filters the comment author’s URL.目录锚点:#源码源码(Source)更新版本源码位置使用被使用 wp-includes/comment-template.php:32610...

日期:2020-08-10 23:06:14 浏览:924

network_admin_edit_{$_GET[‘action’]}

do_action( "network_admin_edit_{$_GET[‘action’]}" )操作挂钩:启动请求的处理程序操作。Action Hook: Fires the requested handler action.目录锚点:#说明#源码说明(Description)钩子名称的动态部分$u GET['action']引用请求的操作的名称。源码(Source)更新版本源码位置使用被使用3.1.0 wp-admin/network/edit.php:3600...

日期:2020-08-02 09:56:09 浏览:869

network_sites_updated_message_{$_GET[‘updated’]}

apply_filters( "network_sites_updated_message_{$_GET[‘updated’]}", string $msg )筛选器挂钩:在网络管理中筛选特定的非默认站点更新消息。Filter Hook: Filters a specific, non-default site-updated message in the Network admin.目录锚点:#说明#参数#源码说明(Description)钩子名称的动态部分$_GET['updated']引用了非默认的...

日期:2020-08-02 09:56:03 浏览:854

pre_wp_is_site_initialized

过滤器::过滤在访问数据库之前是否初始化站点的检查。Filter Hook: Filters the check for whether a site is initialized before the database is accessed.目录锚点:#源码源码(Source)更新版本源码位置使用被使用 wp-includes/ms-site.php:93910...

日期:2020-07-29 10:15:38 浏览:825

WordPress 的SEO 教学:如何在网站中加入关键字(Meta Keywords)与Meta 描述(Meta Description)?

你想在WordPress 中添加关键字和meta 描述吗?关键字和meta 描述使你能够提高网站的SEO。在本文中,我们将向你展示如何在WordPress 中正确添加关键字和meta 描述。为什么要在WordPress 中添加关键字和Meta 描述?关键字和说明让搜寻引擎更了解您的帖子和页面的内容。关键词是人们寻找您发布的内容时,可能会搜索的重要词语或片语。而Meta Description则是对你的页面和文章的简要描述。如果你想要了解更多关于中继标签的资讯,可以参考Google的说明。Meta 关键字和描...

日期:2020-10-03 21:18:25 浏览:1688

谷歌的SEO是什么

SEO (Search Engine Optimization)中文是搜寻引擎最佳化,意思近于「关键字自然排序」、「网站排名优化」。简言之,SEO是以搜索引擎(如Google、Bing)为曝光媒体的行销手法。例如搜寻「wordpress教学」,会看到本站的「WordPress教学:12个课程…」排行Google第一:关键字:wordpress教学、wordpress课程…若搜寻「网站架设」,则会看到另一个网页排名第1:关键字:网站架设、架站…以上两个网页,每月从搜寻引擎导入自然流量,达2万4千:每月「有机搜...

日期:2020-10-30 17:23:57 浏览:1294