[Samba] Using ldap to check last password modification date

Thu May 7 02:06:03 MDT 2015

On 06/05/15 15:59, 술욱 wrote:
> Thanks Rowland. That makes sense :-)
>
> BTW, Is the following code enough to change the password with python-ldap?
>
> con.sasl_interactive_bind_s("", sasl_auth)
> mod_attrs = [
>      (ldap.MOD_REPLACE, 'unicodePwd', new_password),
>      (ldap.MOD_REPLACE, 'unicodePwd', new_password)
> ]
> con.modify_s('CN=%s,CN=Users,DC=lxc,DC=com % username, mod_attrs)
>
>
> Thanks!
>
> Regards,
> Norberto
>
>
>
> 2015-05-06 4:32 GMT-03:00 Rowland Penny <rowlandpenny at googlemail.com>:
>> On 05/05/15 20:31, 술욱 wrote:
>>> Hello,
>>>
>>> For a portal I'm working on, I need to know if changing the unicodePwd
>>> attr with LDAP also updates pwdLastSet (so the account doesn't get
>>> locked). It seems the answer is yes, but the value I get from
>>> pwdLastSet is somewhat weird:
>>>
>>> pwdLastSet: 130753269490000000
>>>
>>> That is Wed, 08 Jun 2011 11:31:34 GMT
>>>
>>> Why? Is that epoch or something else? Is there anything else I need to
>>> update when I change the user password using ldap?
>>>
>>> Thanks!
>>>
>>> Regards,
>>> Norberto
>>
>> Not weird, wrong epoch :-)
>>
>> With windows epoch: Tue, 05 May 2015 19:15:49
>> with windows epoch: Wed, 08 Jun 2011 11:31:34
>>
>> Windows uses an epoch staring at Jan 1, 1601
>>
>> Rowland
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

I have said this before, but I will say it again, to me python is a very 
big snake :-D

Or in other words, I have no idea, what I do know is that you either 
need to do the password change on the DC acting directly on sam.ldb, or 
you need to do it over ssl from another machine.

The password needs to be a unicode password, if you were using bash, you 
would do this to get the password:

echo -n "\"${PASSWORD}\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0

Rowland