README

This is a python class for interacting with Active Directory via LDAP.

It is intended to be used in a self-service password reset application.
It focuses almost exclusively on password/account policy.

It does support Server 2008r2's fine-grained password password policy:
    http://technet.microsoft.com/en-us/library/cc754544(v=ws.10).aspx

SUNY Geneseo uses this in production for our self-service AD password reset
app. It's not perfect, but it has been useful for us.

Requirements:
  - Python LDAP library

Expects:
  - Users can change their own password (SELF can Change Password in AD ACLs)
  - Leaf users of groups in CN=Administrators,CN=Builtin,<your AD base> can:
    - Look up password policies (domain-wide and fine-grained)
    - Set any user's password
  - To connect to one of your AD controllers via LDAP+SSL (generally port 636)

Provides:
  - Function to use admin credentials to bind to AD and
    change a user's password, which requires adherence to password policy.
  - Function to use admin credentials to set a user's password which
    mostly ignores password policy.
  - Function to immediately expire a user's password.
  - Function to get all password policies for a domain.
  - Function to load information about a user such as:
    - Which password policy applies to them
    - Are they locked/disabled/expired/password expired
    - When account/password expires
    - When password was last set

TODO:
  - "More python-y, object-oriented v2.0" that supports more user/group
	modification actions.
  - Better sanitization of user input
  x Better exception handling/throwing
  x Force SSL (can only change passwords over SSL)
  - Clustered AD support (try next server in case of failure)
  x Let AD do more calculation of things like:
    x Effective PSO (msDS-ResultantPSO) (Server 2008+)
    x Account locked, pw expired (msDS-User-Account-Control-Computed) (Server 2003+)
    x Account lockout expiry (Lockout-Time) (Server 2000+)