Ldap – Disabling a user’s ability to change password on Active Directory

active-directoryldappasswordpython

We run a multi-directory environment (AD and OpenLDAP) and perform password synchronization via an internal webapp. This works well because we've disabled users from changing their own password via OpenLDAP and AD could only be accessed by the few services that require AD.

However, we are now looking into allowing PC's to attach to the AD domain. Initially, I believed that disabling password change for users would be as simple as changing the initial userAccountControl LDAP attribute we assign during account provisioning. This proved to not be as simple as I assumed.

We currently use Python and python-ldap for account provisioning (code below), Per Microsoft docs, we set userAccountControl to 66048 (Normal account and don't expire password). I tried changing it to 66112 (66048 + Disable user password change) but AD did not retain that value and instead, recorded it as 66048.

Has anyone done something like this before? I'd prefer to accomplish it either by using Python or a set-it-and-forget-it setting on AD.

FYI: This is how the account provisioning Python code looks like right now:

import ldap

l = ldap.initialize(server)
l .simple_bind_s(admin_cn, admin_pass)

attributes = [
    ('displayName', login),
    ('sAMAccountName', login),
    ('cn', login),
    ('givenName', fn),
    ('sn', ln),
    ('name', full_name),
    ('userPrincipalName', '%s@example.com' % login),
    ('objectClass', ['person', 'top', 'organizationalPerson', 'user']),
    ('userAccountControl', '66048'), # <--- Line I thought I could change but not working as expected
    ('unicodePwd', encoded_password)
]

l.add_s(
    'cn=%s,ou=users,dc=example,dc=com' % login,
    attributes,
)

Best Answer

I am not a Windows admin, but isn't this exactly the sort of thing that a Group Policy is for? A brief Google search yields http://support.microsoft.com/kb/324744, which seems to do almost exactly what you want. This would be the "set-it-and-forget-it" model.

Also, this vbscripts purports to do what you want.

Related Solutions

What commands will change Open Directory passwords

The handiest answer I've come across is to use the passwd command in conjunction with dscl. Here is the output from an interactive session (with the passwords replaced by asterices):

$ dscl -u diradmin -p ces 
Password: 
 > cd /LDAPv3/127.0.0.1/
/LDAPv3/127.0.0.1 > auth diradmin *****
/LDAPv3/127.0.0.1 > passwd Users/Atwo807 *****
/LDAPv3/127.0.0.1 > passwd Users/Atwo249 *****
/LDAPv3/127.0.0.1 > passwd Users/doesnotexist foobar
passwd: Invalid Path
<dscl_cmd> DS Error: -14009 (eDSUnknownNodeName)
/LDAPv3/127.0.0.1 > exit
Goodbye

Here is a python script to make the changes. You will need the pexpect module (sudo easy_install pexpect should get it for you; I don't think you need the dev tools installed).

#!/usr/bin/env python

import pexpect

def ChangePasswords(host, path, diradmin, diradmin_password, user_passwords, record_type='Users'):
    """Changes passwords in a Open Directory or similar directory service.

    host = the dns name or IP of the computer hosting the directory
    path = the pathname to the directory (ex. '/LDAPv3/127.0.0.1')
    diradmin = the directory administrator's shortname (ex. 'diradmin')
    diradmin_password = the directory administrator's password
    user_passwords = a dictionary mapping record names (typically, user's short
                     names) onto their new password
    record_type = the sort of records you are updating.  Typically 'Users'

    Returns a tuple.  The first entry is a list of all records (users) who
        failed to update.  The second entry is a list of all records (users)
        who successfully updated.
    """

    failed_list = []
    succeeded_list = []
    prompt = " > "

    child = pexpect.spawn("dscl -u %s -p %s" % (diradmin, host))

    if not (ReplyOnGoodResult(child, "Password:", diradmin_password) and
       ReplyOnGoodResult(child, prompt, "cd %s" % path) and
       ReplyOnGoodResult(child, prompt,
                        "auth %s %s"  % (diradmin, diradmin_password)) and
       ReplyOnGoodResult(child, prompt, None)):
        print "Failed to log in and authenticate"
        failed_list = user_passwords.keys()
        return (failed_list, succeeded_list)

    # We are now logged in, and have a prompt waiting for us
    expected_list = [ pexpect.EOF, pexpect.TIMEOUT,
                     '(?i)error', 'Invalid Path', prompt ]
    desired_index = len(expected_list) - 1
    for record_name in user_passwords:        
        #print "Updating password for %s" % record_name,

        child.sendline("passwd %s/%s %s" % (record_type, record_name,
                                            user_passwords[record_name]))
        if child.expect(expected_list) == desired_index:
            #print ": Succeeded"
            succeeded_list.append(record_name)
        else:
            #print ": Failed"
            failed_list.append(record_name)
            child.expect(prompt)

    child.sendline("exit")
    child.expect(pexpect.EOF)

    return (failed_list, succeeded_list)


def ReplyOnGoodResult(child, desired, reply):
    """Helps analyze the results as we try to set passwords.

    child = a pexpect child process
    desired = The value we hope to see 
    reply = text to send if we get the desired result (or None for no reply)
    If we do get the desired result, we send the reply and return true.
    If not, we return false."""

    expectations = [ pexpect.EOF, pexpect.TIMEOUT, '(?i)error', desired ]
    desired_index = len(expectations) - 1

    index = child.expect(expectations)
    if index == desired_index:
        if reply:
            child.sendline(reply)
        return True
    else:
        return False

You can use it as follows:

# This example assumes that you have named the script given above 'pwchange.py'
# and that it is in the current working directory
import pwchange 

(failed, succeeded) = pwchange.ChangePasswords("ces", "/LDAPv3/127.0.0.1", 
     "diradmin", "******", 
     { 'Atwo807' : '*****', 'Atwo249' : '*****', 
       'Nonexist' : 'foobar', 'Bad' : 'bad' })

print failed, succeeded
['Bad', 'Nonexist'] ['Atwo249', 'Atwo807']

LDAP – How to Force User to Change Password

I found a solution: In the users LDAP entry, setShadowLastChange = 0 This will force the user to have to reset their LDAP password. However, there is also another bug, you then have to modify the permissions (ACL's) on the LDAP server (I had the default one of Allow Self entry modification on OU=People) to also allow them to modify the target ShadownLastChange.

Otherwise, they can't change the value, and it stays at zero, forcing them to redo their password every time they login.

Best Answer

Related Solutions

What commands will change Open Directory passwords

LDAP – How to Force User to Change Password

Related Topic