Re^2: It does not change password in LDAP Windows 2012 R2

Dear Marshall,

Thanks for bringing this to my attention and after scratching my head on what was the issue I read some forum in the PHP community that uses LDAP also for their code and they mentioned that it should be in secure connection in order to change the attributes in Ldap.

This attribute is written by an LDAP Modify under the following restricted conditions. Windows 2000 operating system servers require that the client have a 128-bit (or better) SSL/TLS-encrypted connection to the DC in order to modify this attribute. On Windows Server 2003 operating system, Windows Server 2008 operating system, Windows Server 2008 R2 operating system, Windows Server 2012 operating system, Windows Server 2012 R2 operating system, and Windows Server 2016 Technical Preview operating system, the DC also permits modification of the unicodePwd attribute on a connection protected by 128-bit (or better) Simple Authentication and Security Layer (SASL)-layer encryption instead of SSL/TLS. In Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, and Windows Server 2016 Technical Preview, if the fAllowPasswordOperationsOverNonSecureConnection heuristic of the dSHeuristics attribute (section 6.1.1.2.4.1.2) is true and Active Directory is operating as AD LDS, then the DC permits modification of the unicodePwd attribute over a connection that is neither SSL/TLS-encrypted nor SASL-encrypted. The unicodePwd attribute is never returned by an LDAP search.

and so after reconfiguring the Windows 2012 to enable the "Active Directory Certificate Services feature" and TADA.. it works...

and so I use this code

$result = $ad->modify($dn, replace => {"unicodePwd" => $unicodePwd}); 

my $ad=Net::LDAP->new($adsvr, version => 3, scheme  => 'ldaps', port=>
+636,) or die "can't connect to $adsvr: $@";
[download]

Hope someone can help this in future. We can mark this as resolve and can be close :D.

Comment on Re^2: It does not change password in LDAP Windows 2012 R2 Download Code

Replies are listed 'Best First'.
Re^3: It does not change password in LDAP Windows 2012 R2 by fsmendoza (Novice) on Feb 24, 2017 at 08:36 UTC
Dear Francism08, There's another way to this instead of installing the "Active Directory Certificate Services Feature" you can just import SSL certificate in the "Trusted Root Certification Authorityies" below is the step to create self signed certificate in your Windows 2012 R2 AD Server powershell running as Administrator without the need of enabling the AD CS feature. Step1: New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname win2012r2t3.dev.fsmendoza.com Step2: $pwd = ConvertTo-SecureString -String 'P@ssw0rd' -Force -AsPlainText Step3: Export-PfxCertificate -cert cert:\localMachine\my\E72FD6F54234EDC717420F4C9FF8DBD68093D85F -FilePath c:\tmp\cert.pfx -Password $pwd Note:The E72FD6F54234EDC717420F4C9FF8DBD68093D85F - is the number that will show in Step 1: Step4: double click teh cert.pfx that was created in c:\tmp and install in "Trusted Root Certification Authorityies" and done. This one required reboot of the server to apply.	[reply]
Re^3: It does not change password in LDAP Windows 2012 R2 by fsmendoza (Novice) on Feb 23, 2017 at 08:35 UTC
Thanks	[reply]


laziness, impatience, and hubris
	PerlMonks