Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Allow self password change using LDAP(s) with Samba4
38 views
Skip to first unread message
Juan Asensio Sánchez
Dec 30, 2015, 10:10:02 AM12/30/15
to
Hi all
I am trying to create a webapp to allow users to change their own passwords
in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify
the user password using this code:
dn: ........
changetype: modify
replace: unicodePwd
unicodePwd: "Temporal2"
I get this error:
0x32 (Insufficient access; error in module acl: insufficient access rights
during LDB_MODIFY (50))
If I change the code, deleting the old password, and adding the new one:
dn: ........
changetype: modify
delete: unicodePwd
unicodePwd: "Temporal1"
-
add: unicodePwd
unicodePwd: "Temporal2"
Then I get this error:
#!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set
the NT hash password directly']
The ldapmodify are executed using the self user credentials, i wouldn't
like to use the administrator account. Is this possible? Do I have to
change some settings in Samba4?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am trying to create a webapp to allow users to change their own passwords
in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify
the user password using this code:
dn: ........
changetype: modify
replace: unicodePwd
unicodePwd: "Temporal2"
I get this error:
0x32 (Insufficient access; error in module acl: insufficient access rights
during LDB_MODIFY (50))
If I change the code, deleting the old password, and adding the new one:
dn: ........
changetype: modify
delete: unicodePwd
unicodePwd: "Temporal1"
-
add: unicodePwd
unicodePwd: "Temporal2"
Then I get this error:
#!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set
the NT hash password directly']
The ldapmodify are executed using the self user credentials, i wouldn't
like to use the administrator account. Is this possible? Do I have to
change some settings in Samba4?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland penny
Dec 30, 2015, 10:50:03 AM12/30/15
to
You need to do something like this:
_USER_PW="Temporal2"
UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE |
base64 -w 0)
USERLDIF="dn: .................
changetype: modify
replace: unicodePwd
unicodePwd::$UNICODEPWD"
echo "$USERLDIF" | ldbmodify -H /usr/local/samba/private/sam.ldb
Rowland
L.P.H. van Belle
Dec 30, 2015, 10:50:03 AM12/30/15
to
Save your time..
Something like :
http://ltb-project.org/wiki/documentation/self-service-password
good i bookmarked this one. ;-)
greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Juan Asensio
> Sánchez
> Verzonden: woensdag 30 december 2015 15:59
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] Allow self password change using LDAP(s) with Samba4
Something like :
http://ltb-project.org/wiki/documentation/self-service-password
good i bookmarked this one. ;-)
greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Juan Asensio
> Sánchez
> Verzonden: woensdag 30 december 2015 15:59
> Aan: sa...@lists.samba.org
> Onderwerp: [Samba] Allow self password change using LDAP(s) with Samba4
Roel van Meer
Jan 7, 2016, 4:40:03 AM1/7/16
to
Hi Juan,
you can use the 'kpasswd' utility:
kpasswd us...@YOUR.REALM
It can be run as unprivileged user.
It first prompts you for your old password and the twice for the new
password.
Cheers,
Roel
you can use the 'kpasswd' utility:
kpasswd us...@YOUR.REALM
It can be run as unprivileged user.
It first prompts you for your old password and the twice for the new
password.
Cheers,
Roel
Juan Asensio Sánchez
Jan 12, 2016, 5:10:05 AM1/12/16
to
Hi
Thanks all for your responses. The users can now change their own password
adding and removing the unicodePwd attribute, using the correct method to
generate the password value.
Now, I have a problem, because the users who have the option to force to
change the password in the next login checked, can't bind to the LDAP
server in order to change their password. Is there any way to do this,
using LDAP(s)?
Thanks all for your responses. The users can now change their own password
adding and removing the unicodePwd attribute, using the correct method to
generate the password value.
Now, I have a problem, because the users who have the option to force to
change the password in the next login checked, can't bind to the LDAP
server in order to change their password. Is there any way to do this,
using LDAP(s)?
Ole Traupe
Jan 20, 2016, 6:00:05 AM1/20/16
to
On 12.01.2016 10:56, Juan Asensio Sánchez wrote:
> Hi
>
> Thanks all for your responses. The users can now change their own password
> adding and removing the unicodePwd attribute, using the correct method to
> generate the password value.
>
> Now, I have a problem, because the users who have the option to force to
> change the password in the next login checked, can't bind to the LDAP
> server in order to change their password. Is there any way to do this,
> using LDAP(s)?
Also I believe that on Unix you can just use "passwd" which
automatically resorts to kerberos password. No?
Ole
0 new messages