Hi, I am trying to debug an ldaps client that we would like use to change passwords for end-users. Currently this is failing with this:> [LDAP: error code 50 - error in module acl: insufficient access > rights during LDB_MODIFY (50)]; remaining name 'CN=ted t. > test,CN=Users,DC=samba,DC=company,DC=com'From what we understand, there are two ways to change a password: A) as an admin-user with a replace operation B) as an end-user with a delete and an add operation To debug why my client application does not work, I configured loglevel 10 for that specific IP, according to the client specific logging on the wiki. HOWEVER... that does not seem to work for ldap access! :-( Is there a way to have debug level logs for ldap traffic coming from a specific ip, while keeping the rest a a normal level? Or perhaps set ldap logging to 10, while keeping the rest down? And as a side-question: do we need to configure anything special, to allow end-users to change their passwords? Best regards, MJ
On 10/01/2017 14:05, lists wrote:> From what we understand, there are two ways to change a password: > A) as an admin-user with a replace operation > B) as an end-user with a delete and an add operationActually there's also an LDAP "password modify" extended operation: https://www.ietf.org/rfc/rfc3062.txt I don't know if Samba implements it though. Regards, Brian.
On Tue, 2017-01-10 at 15:05 +0100, lists via samba wrote:> Hi, > > I am trying to debug an ldaps client that we would like use to change > passwords for end-users. Currently this is failing with this: > > [LDAP: error code 50 - error in module acl: insufficient access > > rights during LDB_MODIFY (50)]; remaining name 'CN=ted t. > > test,CN=Users,DC=samba,DC=company,DC=com' > > From what we understand, there are two ways to change a password: > A) as an admin-user with a replace operation > B) as an end-user with a delete and an add operation > > To debug why my client application does not work, I configured > loglevel > 10 for that specific IP, according to the client specific logging on > the > wiki. > > HOWEVER... that does not seem to work for ldap access! :-(Correctly. Sadly we ripped out the % macro support in Samba4's earliest days, and it never got back in. It is made harder by the fact that we serve more than one client per process, so global variables are not the solution any longer.> Is there a way to have debug level logs for ldap traffic coming from > a > specific ip, while keeping the rest a a normal level? > > Or perhaps set ldap logging to 10, while keeping the rest down? > > And as a side-question: do we need to configure anything special, to > allow end-users to change their passwords?No. It is expected (and tested) to 'just work' as a modify on unicodePwd (utf16 password in " chars), or if enabled userPassword as utf8 (need to set the flag in dsHuristics just like Windows). Andrew Bartlett
On Wed, 2017-01-11 at 12:06 +0000, Brian Candler via samba wrote:> On 10/01/2017 14:05, lists wrote: > > From what we understand, there are two ways to change a password: > > A) as an admin-user with a replace operation > > B) as an end-user with a delete and an add operation > > Actually there's also an LDAP "password modify" extended operation: > https://www.ietf.org/rfc/rfc3062.txt > > I don't know if Samba implements it though.Sadly not. I would love to see it implemented however. Sorry, Andrew Bartlett
Hi Andrew, Thanks for your answer on the ldap logging. Just to make sure I understand things correctly: On 01/11/2017 08:56 PM, Andrew Bartlett wrote:> No. It is expected (and tested) to 'just work' as a modify on > unicodePwd (utf16 password in " chars), or if enabled userPassword as > utf8 (need to set the flag in dsHuristics just like Windows).You talk about modify. I understood that the "modify" operation is NOT actually used for the end-user password change, but only when an ADMIN changes an end-user password. In the case of an end-user changing his password, it's supposed to be a delete and add operation. Agreed? MJ