我们正在通过LDAPS连接重置Active Directory用户密码。我们还在下次登录时设置"更改密码"属性。
当我们登录Windows机器时,我们执行以下步骤:
此时我们期待的信息是:Your password has been changed.You will need to use the new password for future logins
但是,我们会收到以下消息:Unknown user name or bad password
但是,在后端,系统已接受新密码(密码2 ),因为我们可以使用密码2 登录。
当系统接受新密码时,我们无法理解为什么我们收到错误信息
我们是否需要设置另一个显示正确消息的属性?
我们的代码如下:
#!/usr/bin/perl -w
#########################
#This script resets the password in active user directory
#########################
use strict;
use warnings;
use DBI;
use Net::LDAP;
use Net::LDAPS;
use Authen::SASL qw(Perl);
use Net::LDAP::Control::Paged;
use Time::Local;
use MIME::Lite;
my $CERTDIR = "<certpath>";
my $AD_PASS = "$CERTDIR/<certfile>";
my $sAN = $ARGV[0];
my $uninewpass;
my $mail;
my $fullname;
my $name;
my $distName;
my $finalresult;
### Generate Random Password ###
my $randompass = askPasswd();
### Reading Active directory connection credentials ###
my @AD_passwords = get_domain_pass();
###Reset password###
my $result = reset_AD_Password();
###SUB FUNCTIONS###
#Reset AD user password
sub reset_AD_Password {
my $result = "fail";
my $ad = Net::LDAPS->new($AD_passwords[0]);
my $msg = $ad->bind(dn => "cn=$AD_passwords[2],$AD_passwords[1]",
password => $AD_passwords[3],
version => 3);
if ($msg->code)
{
print "Error msg:" . $msg->error() . "\n";
print "Error code:" . $msg->code() . "\n";
exit 3;
}
my $acc_name = 'sAMAccountName';
my $acc_fullname = 'displayName';
my $acc_distName = 'distinguishedName';
my $acc_mail = 'mail';
my $act = $ad->search(
base => "$AD_passwords[1]",
filter => "(&(objectCategory=person)(sAMAccountName=$sAN))",
attrs => [$acc_name, $acc_fullname, $acc_distName, $acc_mail]);
die 2 if ($act->count() !=1 );
if ($act->code)
{
print "Error msg:" . $act->error() . "\n";
print "Error code:" . $act->code() . "\n";
exit 4;
}
#Store DN for password reset
my $sANdn = $act->entry(0)->dn;
# Add quotes and uniCode to the passwords.
map { $uninewpass .= "$_\000" } split(//, "\"$randompass\"");
print "$uninewpass\n";
#Reset AD Password and change at next logon
my $rtn = $ad->modify($sANdn, replace => [ 'unicodePwd' => $uninewpass]);
if($rtn->{'resultCode'} != 0) {
print "Error msg:" . $rtn->error() . "\n";
print "Error code:" . $rtn->code() . "\n";
exit 5;
}
#Change Password at next logon#
my $rtn = $ad->modify($sANdn, replace => { pwdLastSet => 0});
if($rtn->{'resultCode'} != 0) {
print "Error msg:" . $rtn->error() . "\n";
print "Error code:" . $rtn->code() . "\n";
exit 6;
}
$result = "pass";
return $result;
}
###Generate password###
sub askPasswd {
use String::Random;
my $randPass = new String::Random;
my $rndpassword = $randPass->randpattern("CCccn!cnC");
print "Your random password is: " , $rndpassword , "\n";
return $rndpassword;
}
###Read Credentials File###
sub get_domain_pass {
open(my $fh, '<:encoding(UTF-8)', $AD_PASS) or die "Could not open file";
my $row = <$fh>;
chomp $row;
print "$row\n";
my @AD_passwords = split/:/,$row;
return @AD_passwords;
}
答案 0 :(得分:0)
终于找到了问题的根本原因 我们的网络有多个AD服务器。我们正在更新其中一台AD服务器上的密码 AD服务器之间的同步在我们的网络中需要一些时间 用户使用其他AD服务器登录进行验证。至此,同步没有发生。因此我们收到了这个问题 我们现在已经修改了代码,以根据用于对用户进行身份验证的Ad服务器来更新正确的AD服务器。