Based on the connection properties in LDAP Admin (neither the SSL or TLS checkboxes are enabled) the connection should be unencrypted... A netstat confirms that LDAP Admin is connecting to port 389 on the server.
From: Yann Cézard [mailto:[email protected]] Sent: Saturday, January 11, 2014 1:51 AM To: Alan Osborne Cc: [email protected] Subject: Re: [Ltb-users] Can't change password using LTB SSP with AD LDAP On 11/01/2014 10:16, Alan Osborne wrote: Hi, I'm hitting a wall trying to troubleshoot an issue with LTB self service password... Here's an excerpt from the apache2 error log (debug mode enabled): [Sat Jan 11 00:52:48 2014] [error] [client 192.168.x.x] PHP Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in /usr/share/self-service-password/lib/functions.inc.php on line 275, referer: https://ltb_ssp_ip/self-service/ [Sat Jan 11 00:52:48 2014] [error] [client 192.168.x.x] LDAP - Modify password error 53 (Server is unwilling to perform), referer: https://ltb_ssp_ip/self-service/ I've tested using LDAP Admin (http://www.ldapadmin.org/) and I can change the same account password that failed with LTB SSP. I'm connecting to the same AD DC too and I don't need to use a secure connection (LDAPS), just unencrypted LDAP on port 389. Here are the relevant entries in my config.inc.php file: $ldap_url = "ldap://ip_address_of_ad_dc";<ldap://ip_address_of_ad_dc>; $ldap_binddn = "cn=ldapuser,cn=Users,dc=domain,dc=ext"; $ldap_bindpw = "ldapuserpasswd"; $ldap_base = "dc=domain,dc=ext"; $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"; $ad_mode = true; $ad_options['force_unlock'] = true; $ad_options['force_pwd_change'] = true; $samba_mode = false; $who_change_password = "manager"; All other settings are default. Any ideas? Thanks! Hi, Are you sure that ldapadmin does not use TLS when connecting on port 389 ? Because I believe that having an encrypted connection is required in order to change a password in AD (it works on ldaps, I don't know for sure for TLS, but I would not be surprised it does to). Regards, -- Yann Cézard - infrastructures - administrateur systèmes serveurs Centre de ressources informatiques - http://cri.univ-pau.fr Université de Pau et des pays de l'Adour - http://www.univ-pau.fr bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau Téléphone : +33 (0)5 59 40 77 94
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
