On Mon, 2017-07-10 at 16:39 -0300, Alberto Viana wrote:
William,
Yes, there's a flag on AD that forces users to reset their passwords, and
we're using it.... that is the same flag that is set when an account has
been expired (forcing the user to reset his password).
I don't think that is the problem, my replication user has FULL permission
in the whole tree, and like I said before I made a script in perl to change
password directly in AD using the exactly same user that I use on
replication, and it works, so I've been able to change the user password
through this script even if this flag is set on AD side.
Here's a snippet of it:
$mesgad = $ldapad->bind("CN=389 Sync Account,OU=APPS,DC=my,DC=domain",
password => "MY_USER_PASS",
version => 3 );
if ($mail =~ /my_user_test/) {
printf "$dnad -- $mail -- $san\n";
$mesgad = $ldapad->modify( $dnad,
replace => {
unicodePwd => $newUniPW,
}
So, basically it does a ldap operation to replace the user password (I
think that is the same behavior of 389 plugin, am I right?)
I would assume so - but I have not worked on the AD sync code myself. I
was hoping only to eliminate a trivial case. :(
--
Sincerely,
William Brown
Software Engineer
Red Hat, Australia/Brisbane