前提条件: AD 已开启证书服务(最重要的一句话)。
import ldap3 SERVER = 'adserver' BASEDN = "DC=example,DC=com" USER = "u1@example.com" CURREENTPWD = "adcvQ.SAD" NEWPWD = "adcv.Q.SAD" SEARCHFILTER = '(&(userPrincipalName='+USER+')(objectClass=person))' USER_DN = "" USER_CN = "" ldap_server = ldap3.Server(SERVER, get_info=ldap3.ALL, use_ssl=True) conn = ldap3.Connection(ldap_server, USER, CURREENTPWD, auto_bind=True) conn.start_tls() conn.search(search_base=BASEDN, search_filter=SEARCHFILTER, search_scope=ldap3.SUBTREE, attributes=['cn', 'givenName', 'userPrincipalName'], paged_size=5) # print(conn.response) for entry in conn.response: if entry.get("dn") and entry.get("attributes"): if entry.get("attributes").get("userPrincipalName"): if entry.get("attributes").get("userPrincipalName") == USER: USER_DN = entry.get("dn") USER_CN = entry.get("attributes").get("cn") if USER_DN: res = ldap3.extend.microsoft.modifyPassword.ad_modify_password(conn, USER_DN, NEWPWD, CURREENTPWD, controls=None) if res: print('user %s change password Success.' % USER_CN) else: print('user %s change password Failed.' % USER_CN) else: print("User DN is missing!")