Active Directory Plugin
This plugin provides IT Admins with the ability to rotate the password of an Active Directory user account. This plugin can be run on any system that has network access to the AD server.
pip3 install ldap3
Rotation supports legacy and typed records. If using typed record, a 'Password' type field is required. Additional fields may be added depending on the rotation type as well. See the instructions below.
If using an untyped record, the host and port can be set to custom fields. See below.
The following fields are required for AD rotation. Create each field with the label indicated and supply the required information.
The following values can customize rotation parameters. Add these options to a record as text fields and set the label to correspond to the parameter as shown in the table.
To rotate Active Directory passwords, use the
rotatecommand in Commander. Pass the command a record title or UID (or use
--matchwith a regular expression to rotate several records at once)
rotate "AD Password Rotator" --plugin adpasswd
If you get the error "Error during connection to AD server" try the following:
- Ensure your AD supports secure bind via TLS. The certificate can be self-signed if needed.
- Disable 'Minimum password age’ group policy. It is set to one day by default.
- Check that your Distinguished Name cmdr:userdn is set correctly. It needs to be exactly right or else the connection will fail. You can check the value of this from within the Softerra LDAP browser software or you can run the below command prompt utility on the AD Server:
C:\Users\craig>dsquery user -name Craig*
For connecting as Craig in this scenario, make sure the cmdr:userdn custom field contains this exact string (without the quotes).
Microsoft Active Directory requires SSL connection in order to change the password. The following link explains how to setup a secure connection to Active Directory