python LDAP modify password

Question

I have a Windows 2012 R2 server and a LDAP server on it. I wrote a python script to modify the password of user (the user, who isn't admin, want to modify is own password. I have an other function which modify the password when you're admin, but I don't want to set a password, but modify it). This is a sample of my code :

#!/usr/bin/env python
#coding:utf-8

import ldap
import ldap.modlist as modlist

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
ld = ldap.initialize('ldaps://xxx.xxx.xxx.xxx:636')
ld.simple_bind_s('XXXXXX@ad2012.local', 'XXXXXXX')

new = {'unicodePwd':[str('"XXXXXXXX"').decode('utf8').encode('utf-16-le')]}
old = {'unicodePwd':[str('"YYYYYYYY"').decode('utf8').encode('utf-16-le')]}

ldif = modlist.modifyModlist(old, new)
ld.modify_s('A DN',ldif)

But when I run it, I have an error :

ldap.CONSTRAINT_VIOLATION: {'info': '0000052D: AtrErr: DSID-03191083, #1:\n\t0: 0000052D: DSID-03191083, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 9005a (unicodePwd)\n', 'desc': 'Constraint violation'}

I tried with decode/encode or without. passwd_s() is not working either. I searched a lot on google, I found a lot of solutions for others people, but not working for me.

If someone could help me, thanks in advance.

Answer 1

The error message part you want to focus on is 'info': '0000052D. The hex value 0000052D translates to a system error code of decimal 1325. That error code is documented here:

ERROR_PASSWORD_RESTRICTION

1325 (0x52D)

Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.

So it appears the new password you are trying to set somehow violates the password policy assigned to the user.