Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] client specific debug log for ldap
117 views
Skip to first unread message
lists via samba
Jan 10, 2017, 9:10:03 AM1/10/17
to
Hi,
I am trying to debug an ldaps client that we would like use to change
passwords for end-users. Currently this is failing with this:
> [LDAP: error code 50 - error in module acl: insufficient access
> rights during LDB_MODIFY (50)]; remaining name 'CN=ted t.
> test,CN=Users,DC=samba,DC=company,DC=com'
From what we understand, there are two ways to change a password:
A) as an admin-user with a replace operation
B) as an end-user with a delete and an add operation
To debug why my client application does not work, I configured loglevel
10 for that specific IP, according to the client specific logging on the
wiki.
HOWEVER... that does not seem to work for ldap access! :-(
Is there a way to have debug level logs for ldap traffic coming from a
specific ip, while keeping the rest a a normal level?
Or perhaps set ldap logging to 10, while keeping the rest down?
And as a side-question: do we need to configure anything special, to
allow end-users to change their passwords?
Best regards,
MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
I am trying to debug an ldaps client that we would like use to change
passwords for end-users. Currently this is failing with this:
> [LDAP: error code 50 - error in module acl: insufficient access
> rights during LDB_MODIFY (50)]; remaining name 'CN=ted t.
> test,CN=Users,DC=samba,DC=company,DC=com'
From what we understand, there are two ways to change a password:
A) as an admin-user with a replace operation
B) as an end-user with a delete and an add operation
To debug why my client application does not work, I configured loglevel
10 for that specific IP, according to the client specific logging on the
wiki.
HOWEVER... that does not seem to work for ldap access! :-(
Is there a way to have debug level logs for ldap traffic coming from a
specific ip, while keeping the rest a a normal level?
Or perhaps set ldap logging to 10, while keeping the rest down?
And as a side-question: do we need to configure anything special, to
allow end-users to change their passwords?
Best regards,
MJ
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Brian Candler via samba
Jan 11, 2017, 7:10:02 AM1/11/17
to
On 10/01/2017 14:05, lists wrote:
> From what we understand, there are two ways to change a password:
> A) as an admin-user with a replace operation
> B) as an end-user with a delete and an add operation
Actually there's also an LDAP "password modify" extended operation:
> From what we understand, there are two ways to change a password:
> A) as an admin-user with a replace operation
> B) as an end-user with a delete and an add operation
https://www.ietf.org/rfc/rfc3062.txt
I don't know if Samba implements it though.
Regards,
Brian.
Andrew Bartlett via samba
Jan 11, 2017, 3:00:02 PM1/11/17
to
On Wed, 2017-01-11 at 12:06 +0000, Brian Candler via samba wrote:
> On 10/01/2017 14:05, lists wrote:
> > From what we understand, there are two ways to change a password:
> > A) as an admin-user with a replace operation
> > B) as an end-user with a delete and an add operation
>
> Actually there's also an LDAP "password modify" extended operation:
> https://www.ietf.org/rfc/rfc3062.txt
>
> I don't know if Samba implements it though.
Sadly not. I would love to see it implemented however.
> On 10/01/2017 14:05, lists wrote:
> > From what we understand, there are two ways to change a password:
> > A) as an admin-user with a replace operation
> > B) as an end-user with a delete and an add operation
>
> Actually there's also an LDAP "password modify" extended operation:
> https://www.ietf.org/rfc/rfc3062.txt
>
> I don't know if Samba implements it though.
Sorry,
Andrew Bartlett
Andrew Bartlett via samba
Jan 11, 2017, 3:00:02 PM1/11/17
to
On Tue, 2017-01-10 at 15:05 +0100, lists via samba wrote:
> Hi,
>
> I am trying to debug an ldaps client that we would like use to change
> passwords for end-users. Currently this is failing with this:
> > [LDAP: error code 50 - error in module acl: insufficient access
> > rights during LDB_MODIFY (50)]; remaining name 'CN=ted t.
> > test,CN=Users,DC=samba,DC=company,DC=com'
>
> From what we understand, there are two ways to change a password:
> A) as an admin-user with a replace operation
> B) as an end-user with a delete and an add operation
>
> To debug why my client application does not work, I configured
> loglevel
> 10 for that specific IP, according to the client specific logging on
> the
> wiki.
>
> HOWEVER... that does not seem to work for ldap access! :-(
Correctly. Sadly we ripped out the % macro support in Samba4's
> Hi,
>
> I am trying to debug an ldaps client that we would like use to change
> passwords for end-users. Currently this is failing with this:
> > [LDAP: error code 50 - error in module acl: insufficient access
> > rights during LDB_MODIFY (50)]; remaining name 'CN=ted t.
> > test,CN=Users,DC=samba,DC=company,DC=com'
>
> From what we understand, there are two ways to change a password:
> A) as an admin-user with a replace operation
> B) as an end-user with a delete and an add operation
>
> To debug why my client application does not work, I configured
> loglevel
> 10 for that specific IP, according to the client specific logging on
> the
> wiki.
>
> HOWEVER... that does not seem to work for ldap access! :-(
earliest days, and it never got back in. It is made harder by the fact
that we serve more than one client per process, so global variables are
not the solution any longer.
> Is there a way to have debug level logs for ldap traffic coming from
> a
> specific ip, while keeping the rest a a normal level?
>
> Or perhaps set ldap logging to 10, while keeping the rest down?
>
> And as a side-question: do we need to configure anything special, to
> allow end-users to change their passwords?
unicodePwd (utf16 password in " chars), or if enabled userPassword as
utf8 (need to set the flag in dsHuristics just like Windows).
Andrew Bartlett
mj via samba
Jan 12, 2017, 4:00:03 AM1/12/17
to
Hi Andrew,
Thanks for your answer on the ldap logging.
Just to make sure I understand things correctly:
On 01/11/2017 08:56 PM, Andrew Bartlett wrote:
> No. It is expected (and tested) to 'just work' as a modify on
> unicodePwd (utf16 password in " chars), or if enabled userPassword as
> utf8 (need to set the flag in dsHuristics just like Windows).
You talk about modify. I understood that the "modify" operation is NOT
actually used for the end-user password change, but only when an ADMIN
changes an end-user password.
In the case of an end-user changing his password, it's supposed to be a
delete and add operation. Agreed?
MJ
Thanks for your answer on the ldap logging.
Just to make sure I understand things correctly:
On 01/11/2017 08:56 PM, Andrew Bartlett wrote:
> No. It is expected (and tested) to 'just work' as a modify on
> unicodePwd (utf16 password in " chars), or if enabled userPassword as
> utf8 (need to set the flag in dsHuristics just like Windows).
actually used for the end-user password change, but only when an ADMIN
changes an end-user password.
In the case of an end-user changing his password, it's supposed to be a
delete and add operation. Agreed?
MJ
0 new messages