Juan Asensio Sánchez
2015-Dec-30 14:59 UTC
[Samba] Allow self password change using LDAP(s) with Samba4
Hi all I am trying to create a webapp to allow users to change their own passwords in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify the user password using this code: dn: ........ changetype: modify replace: unicodePwd unicodePwd: "Temporal2" I get this error: 0x32 (Insufficient access; error in module acl: insufficient access rights during LDB_MODIFY (50)) If I change the code, deleting the old password, and adding the new one: dn: ........ changetype: modify delete: unicodePwd unicodePwd: "Temporal1" - add: unicodePwd unicodePwd: "Temporal2" Then I get this error: #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set the NT hash password directly'] The ldapmodify are executed using the self user credentials, i wouldn't like to use the administrator account. Is this possible? Do I have to change some settings in Samba4?
Rowland penny
2015-Dec-30 15:39 UTC
[Samba] Allow self password change using LDAP(s) with Samba4
On 30/12/15 14:59, Juan Asensio Sánchez wrote:> Hi all > > I am trying to create a webapp to allow users to change their own passwords > in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify > the user password using this code: > > dn: ........ > changetype: modify > replace: unicodePwd > unicodePwd: "Temporal2" > > I get this error: > > 0x32 (Insufficient access; error in module acl: insufficient access rights > during LDB_MODIFY (50)) > > If I change the code, deleting the old password, and adding the new one: > > dn: ........ > changetype: modify > delete: unicodePwd > unicodePwd: "Temporal1" > - > add: unicodePwd > unicodePwd: "Temporal2" > > Then I get this error: > > #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set > the NT hash password directly'] > > The ldapmodify are executed using the self user credentials, i wouldn't > like to use the administrator account. Is this possible? Do I have to > change some settings in Samba4?That is not going to work :-) You need to do something like this: _USER_PW="Temporal2" UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | base64 -w 0) USERLDIF="dn: ................. changetype: modify replace: unicodePwd unicodePwd::$UNICODEPWD" echo "$USERLDIF" | ldbmodify -H /usr/local/samba/private/sam.ldb Rowland
L.P.H. van Belle
2015-Dec-30 15:42 UTC
[Samba] Allow self password change using LDAP(s) with Samba4
Save your time.. Something like : http://ltb-project.org/wiki/documentation/self-service-password good i bookmarked this one. ;-) greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Juan Asensio > Sánchez > Verzonden: woensdag 30 december 2015 15:59 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Allow self password change using LDAP(s) with Samba4 > > Hi all > > I am trying to create a webapp to allow users to change their own > passwords > in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify > the user password using this code: > > dn: ........ > changetype: modify > replace: unicodePwd > unicodePwd: "Temporal2" > > I get this error: > > 0x32 (Insufficient access; error in module acl: insufficient access rights > during LDB_MODIFY (50)) > > If I change the code, deleting the old password, and adding the new one: > > dn: ........ > changetype: modify > delete: unicodePwd > unicodePwd: "Temporal1" > - > add: unicodePwd > unicodePwd: "Temporal2" > > Then I get this error: > > #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set > the NT hash password directly'] > > The ldapmodify are executed using the self user credentials, i wouldn't > like to use the administrator account. Is this possible? Do I have to > change some settings in Samba4? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Roel van Meer
2016-Jan-07 09:12 UTC
[Samba] Allow self password change using LDAP(s) with Samba4
Hi Juan, you can use the 'kpasswd' utility: kpasswd user at YOUR.REALM It can be run as unprivileged user. It first prompts you for your old password and the twice for the new password. Cheers, Roel Juan Asensio Sánchez writes:> Hi all > > I am trying to create a webapp to allow users to change their own passwords > in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify > the user password using this code: > > dn: ........ > changetype: modify > replace: unicodePwd > unicodePwd: "Temporal2" > > I get this error: > > 0x32 (Insufficient access; error in module acl: insufficient access rights > during LDB_MODIFY (50)) > > If I change the code, deleting the old password, and adding the new one: > > dn: ........ > changetype: modify > delete: unicodePwd > unicodePwd: "Temporal1" > - > add: unicodePwd > unicodePwd: "Temporal2" > > Then I get this error: > > #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set > the NT hash password directly'] > > The ldapmodify are executed using the self user credentials, i wouldn't > like to use the administrator account. Is this possible? Do I have to > change some settings in Samba4? > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Juan Asensio Sánchez
2016-Jan-12 09:56 UTC
[Samba] Allow self password change using LDAP(s) with Samba4
Hi Thanks all for your responses. The users can now change their own password adding and removing the unicodePwd attribute, using the correct method to generate the password value. Now, I have a problem, because the users who have the option to force to change the password in the next login checked, can't bind to the LDAP server in order to change their password. Is there any way to do this, using LDAP(s)? 2016-01-07 10:12 GMT+01:00 Roel van Meer <roel at 1afa.com>:> Hi Juan, > > you can use the 'kpasswd' utility: > > kpasswd user at YOUR.REALM > > It can be run as unprivileged user. > It first prompts you for your old password and the twice for the new > password. > > Cheers, > > Roel > > > > Juan Asensio Sánchez writes: > > Hi all >> >> I am trying to create a webapp to allow users to change their own >> passwords >> in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify >> the user password using this code: >> >> dn: ........ >> changetype: modify >> replace: unicodePwd >> unicodePwd: "Temporal2" >> >> I get this error: >> >> 0x32 (Insufficient access; error in module acl: insufficient access rights >> during LDB_MODIFY (50)) >> >> If I change the code, deleting the old password, and adding the new one: >> >> dn: ........ >> changetype: modify >> delete: unicodePwd >> unicodePwd: "Temporal1" >> - >> add: unicodePwd >> unicodePwd: "Temporal2" >> >> Then I get this error: >> >> #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set >> the NT hash password directly'] >> >> The ldapmodify are executed using the self user credentials, i wouldn't >> like to use the administrator account. Is this possible? Do I have to >> change some settings in Samba4? >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> >