On 11/01/2014 11:03, Alan Osborne wrote:
Based on the connection properties in LDAP Admin (neither the SSL or
TLS checkboxes are enabled) the connection should be unencrypted... A
netstat confirms that LDAP Admin is connecting to port 389 on the server.
LDAP+TLS use the standard 389 port.
Just check witch tcpdump/wireshark to find out if TLS is on or not ;-)
*From:*Yann Cézard [mailto:[email protected]]
*Sent:* Saturday, January 11, 2014 1:51 AM
*To:* Alan Osborne
*Cc:* [email protected]
*Subject:* Re: [Ltb-users] Can't change password using LTB SSP with AD
LDAP
On 11/01/2014 10:16, Alan Osborne wrote:
Hi,
I'm hitting a wall trying to troubleshoot an issue with LTB self
service password...
Here's an excerpt from the apache2 error log (debug mode enabled):
[Sat Jan 11 00:52:48 2014] [error] [client 192.168.x.x] PHP
Warning: ldap_mod_replace(): Modify: Server is unwilling to
perform in /usr/share/self-service-password/lib/functions.inc.php
on line 275, referer: https://ltb_ssp_ip/self-service/
[Sat Jan 11 00:52:48 2014] [error] [client 192.168.x.x] LDAP -
Modify password error 53 (Server is unwilling to perform),
referer: https://ltb_ssp_ip/self-service/
I've tested using LDAP Admin (http://www.ldapadmin.org/) and I can
change the same account password that failed with LTB SSP. I'm
connecting to the same AD DC too and I don't need to use a secure
connection (LDAPS), just unencrypted LDAP on port 389.
Here are the relevant entries in my config.inc.php file:
$ldap_url = "ldap://ip_address_of_ad_dc"; <ldap://ip_address_of_ad_dc>;
$ldap_binddn = "cn=ldapuser,cn=Users,dc=domain,dc=ext";
$ldap_bindpw = "ldapuserpasswd";
$ldap_base = "dc=domain,dc=ext";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter =
"(&(objectClass=user)(sAMAccountName={login})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))";
$ad_mode = true;
$ad_options['force_unlock'] = true;
$ad_options['force_pwd_change'] = true;
$samba_mode = false;
$who_change_password = "manager";
All other settings are default.
Any ideas?
Thanks!
Hi,
Are you sure that ldapadmin does not use TLS when connecting on port 389 ?
Because I believe that having an encrypted connection is required in
order to change a password in AD
(it works on ldaps, I don't know for sure for TLS, but I would not be
surprised it does to).
Regards,
--
Yann Cézard - infrastructures - administrateur systèmes serveurs
Centre de ressources informatiques -http://cri.univ-pau.fr
Université de Pau et des pays de l'Adour -http://www.univ-pau.fr
bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau
Téléphone : +33 (0)5 59 40 77 94
--
Yann Cézard - infrastructures - administrateur systèmes serveurs
Centre de ressources informatiques - http://cri.univ-pau.fr
Université de Pau et des pays de l'Adour - http://www.univ-pau.fr
bâtiment d'Alembert (anciennement IFR), rue Jules Ferry, 64000 Pau
Téléphone : +33 (0)5 59 40 77 94
_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users
