1

I am creating a simple python function to change the user password. I have tested my AD set up, able to search the user and get correct response but when try to run l.modify_s, I get the below error. AD user has the required permissions. Not sure why am I getting this error.

Any help will be great. Please let me know if you need any more information or code as well to understand the issue better.

  "errorType": "**UNWILLING_TO_PERFORM**",
  "errorMessage": "{'info': u'0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0\\n', 'msgid': 3, 'msgtype': 103, 'result': 53, 'desc': u'Server is unwilling to perform', 'ctrls': []}"
}```

Please find my code below

``` import ldap
import os
import boto3
import random
import string

from base64 import b64decode

import ldap

def lambda_handler(event, context): 
    try:
        cert = os.path.join('/Users/marsh79/Downloads', 'Serverssl.cer')
        print "My cert is", cert
        # LDAP connection initialization
        l = ldap.initialize('ldap://example.corp.com')
        # Set LDAP protocol version used
        l.protocol_version = ldap.VERSION3
        #Force cert validation
        l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_DEMAND)
        # Set path name of file containing all trusted CA certificates
        l.set_option(ldap.OPT_X_TLS_CACERTFILE, cert)
        # Force libldap to create a new SSL context (must be last TLS option!)
        l.set_option(ldap.OPT_X_TLS_NEWCTX, 0)

        bind = l.simple_bind_s("admin@corp.example.com", "secret_pass")
 
        base = "OU=Enterprise,OU=Users,OU=corp,DC=corp,DC=example,DC=com"
        criteria = "(objectClass=user)"
        attributes = ['distinguishedName']
        result = l.search_s(base, ldap.SCOPE_SUBTREE, criteria, attributes)
 
        results = [entry for dn, entry in result if isinstance(entry, dict)]
        
        new_password='secretpass_new'
        unicode_pass = unicode('\"' + new_password + '\"', 'iso-8859-1')
        password_value = unicode_pass.encode('utf-16-le')
        add_pass = [(ldap.MOD_REPLACE, 'unicodePwd', [password_value])]
        
        print "My result distinguishedName1:", results[0]['distinguishedName'][0]
        print "My result distinguishedName2:", results[1]['distinguishedName'][0]

        
        l.modify_s(results[0]['distinguishedName'][0],add_pass)
        
        print results
        
    finally:
        l.unbind()

I have checked multiple things

  1. Password complexity is good
  2. Enabled secured ldap on my AD server and tested this using ldp.exe and I can connect using port 636
  3. I am able to run this code if I just need to search the user. I get the search results.
  4. But when I try to modify the password, it breaks and my head is just throwing up to work out where it is going wrong :X
marsh1979
  • 23
  • 4
  • Facing very similar issue described in this thread https://stackoverflow.com/questions/6797955/how-do-i-resolve-will-not-perform-ms-ad-reply-when-trying-to-change-password-i – marsh1979 Jul 21 '20 at 12:49
  • Hi guys, after doing more research, I found out that we can change the password on AD if it is enabled on ldaps as mentioned in the below article https://support.microsoft.com/en-us/help/269190/how-to-change-a-windows-active-directory-and-lds-user-password-through – marsh1979 Jul 22 '20 at 08:29
  • After more research, I found out that we can change the password on AD if it is enabled on ldaps as mentioned in the below article https://support.microsoft.com/en-us/help/269190/how-to-change-a-windows-active-directory-and-lds-user-password-through. Further as mentioned in the below link, do we need to supply the cert file as well on the client end? https://stackoverflow.com/questions/38603236/update-active-directory-password-using-ldap-python. A fairly simple operation without any clear instructions for it's complete set up making it very complicated :( – marsh1979 Jul 22 '20 at 08:35

1 Answers1

0

I'm not a Python programmer, but I know how AD and LDAP works. It's probably still not connected via LDAPS. From examples I've seen online, you might need to specify ldaps://:

l = ldap.initialize('ldaps://<server name>.corp.example.com')

Or possibly the port as well:

l = ldap.initialize('ldaps://<server name>.corp.example.com:636')

You don't need to supply the cert file on the client side, but the issuer of the certificate on the server must be trusted by the client computer. I guess that's what you're trying to do with cert. But you may not have to. Try without that and see what happens. If you're running this on Windows, it may use the Trusted Certificate Store from Windows itself and it should work as long as the server isn't using a self-signed cert.

marsh1979
  • 23
  • 4
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Thanks Gaberial for your response. Yes, we need to use ldaps but there are many more steps required. I am able to make it work finally and will post the final answer soon! – marsh1979 Jul 22 '20 at 22:24