Thanks a lot for all these tips, I added them to the documentation: http://ltb-project.org/wiki/documentation/self-service-password/latest/config_ldap
Clément. 2014/1/18 Alan Osborne <[email protected]> > FYI, if you use the "Reset by questions" option, then you'll also need > to do the following: > > > > · Right click the OU where you want delegation of permissions to > propogate down from and select "Delegate Control…" > > · Add the account to delegate to, click Next > > · Create a custom task to delegate > > · Select the radio button for "Only the following objects in the > folder", then select "User objects" at the bottom of the list, click Next > > · Select the "Property-specific" checkbox only, then locate the > attribute you are using to store the "Reset by questions" answer in (this > value is set in "$answer_attribute" - see SSP conf file). In my case, I use > the "description" attribute. Not sure, but I would assume you need > Read/Write for that attribute (i.e. select both "Read Description" and > "Write Description" > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Gray McCord > *Sent:* Friday, January 17, 2014 4:37 AM > *To:* [email protected] > > *Subject:* Re: [Ltb-users] Question: requirements for AD LDAP-only user > permissions? > > > > Thanks, Alan. It works perfectly! > > > > Gray > > > > *From:* Alan Osborne [mailto:[email protected]] > *Sent:* Wednesday, January 15, 2014 5:52 PM > *To:* Alban Meunier; Gray McCord > *Cc:* [email protected] > *Subject:* RE: [Ltb-users] Question: requirements for AD LDAP-only user > permissions? > > > > Please confirm that the following permissions are NOT needed: > > > > - Read lockoutTime > > - Read pwdLastSet > > - Write pwdLastSet > > - Read shadowLastChange > > > > Thanks! > > > > *From:* [email protected] [ > mailto:[email protected]<[email protected]>] > *On Behalf Of *Alban Meunier > *Sent:* Wednesday, January 15, 2014 3:15 PM > *To:* Gray McCord > *Cc:* [email protected] > *Subject:* Re: [Ltb-users] Question: requirements for AD LDAP-only user > permissions? > > > > Hi Gray, > > > > To set the minimum rights for an AD account to reset a password, do the > following > > 1. Create a basic domain account without any additional privileges > 2. Use Delegate control wizard within "User and computers", then > > > - User Object > - Reset Password > - Write lockoutTime (if unlock is enabled) > - Write shadowlastchange > > > > That’s it ! > > > > > > On 15 Jan 2014, at 22:00, Gray McCord <[email protected]> wrote: > > > > I’ve been using LTB very successfully for months on an AD/LDAP environment > and have finally gotten to the point where I’ve turned it over to our users > to try. What I want to do is create an “LTB-only” AD user which only has > the permissions necessary to change and reset passwords. I created the > user in AD and ran the Delegation of control wizard to set this up. I > thought that enabling “Reset user passwords” and “Read all user > information” might work, but alas, no. I would up having to select “create, > delete, and manage user accounts”. The good news is that its no longer > using my or an admin’s credentials, but I think I don’t really need LTB to > be able to create or delete or change group membership for users, which I > think this setting permits. > > > > Anyway, does anyone know what the minimum appropriate set of permissions > / best practice should be to allow LTB to do its job? > > > > Thanks! > > > > Gray > > > > Gray McCord > > *Adapt, Mutate, Migrate, or Die* > > -C. Darwin > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is > believed to be clean. > > _______________________________________________ > ltb-users mailing list > [email protected] > http://lists.ltb-project.org/listinfo/ltb-users > > > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is > believed to be clean. > > > -- > This message has been scanned for viruses and > dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is > believed to be clean. > > _______________________________________________ > ltb-users mailing list > [email protected] > http://lists.ltb-project.org/listinfo/ltb-users > >
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
