Hello everyone! That would be great if the option to change password could work with Microsoft Active Directory. I tried all tips that was suggested in the last few mails, but none worked, I always end up with "Forbidden" and a popup saying "Unhandled error response".
I guess that it is not possible to write in Microsoft AD, except using some kind of paid protocol. I'm just wondering here, of course. Note that I am running SOGo under a Ubuntu 14.04 TLS, that connects to Microsoft AD to authenticate. The authentication works perfectly, but the change password doesn't. Cheers, --- [1] ALEX ZUOTOSKI Tecnologia da Informação Fones: +5541-3641-4250 / Ramal 229 E-mails: a...@csmcalderaria.com.br / t...@csmcalderaria.com.br [1] http://www.csmcalderaria.com.br [2] Em 2017-01-31 18:30, Christoph Kreutzer escreveu: > Hi Ralf, hi MJ, > > Thanks for the answers up to now! > > According to the docs [1] there is the following option for LDAP user > sources: > > bindAsCurrentUser > > If set to YES, SOGo will always keep binding to the LDAP server using the DN > of the currently authenticated user. If _bindFields_ is set, _bindDN_ and > _bindPassword_ will still be required to find the proper DN of the user. > > In this case the user should be able to change it's own password via SOGo. > For this to work, you either need bindFields set (for looking up the users > DN) or IDFieldName (the attribute which builds the users' DN (like > IDFieldName=<loginname>, baseDN). > > MJ, I don't know if that works in combination with SAML - since SOGo > shouldn't know the users password, it probably binds using the given bindDN, > which then would need the rights to change other users passwords. > > Ralf, I'm not sure what you're looking for. If you need a frontend for > password self service, I would either go with the SOGo functionality built > in, or with the already named LAM. In my use case I have an existing user > management via a Zend Framework application, which allows that similarly to > LAM (we use an admin user to set userPassword, setting a custom built > crypt-hash using SHA512 with a nice number of rounds - should work with most > Linux distros [2]). > If you're asking regarding OpenLDAP ACLs to allow a user to change it's own > password, you would find that here: [3] > I don't really know much about the SOGo features itself, since I'm using SAML > auth. > > Regards, > Christoph > > [1] > https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap > > [2] https://en.m.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems > [3] http://www.openldap.org/lists/openldap-software/200212/msg00518.html > > Am 31.01.2017 um 14:52 schrieb lists (li...@merit.unu.edu) <users@sogo.nu>: > > Hi > > we are looking for a password change machanism for openldap. Can you please > share your knowledge re. this? In active directory, end users are allowed to > change their own passwords by default. This does require that the connection > is make over ldapS. > > There is a tool called ldap-account-manager (lam) that we used in the past. > It included an end-user password change portal. > (https://www.ldap-account-manager.org/) > > We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that > will prompt users to change their ldap passwords as well, if they have > expired. > (http://www.keycloak.org/) > > And you're right: Perhaps better to take this offlist if you have more > questions. (and yes, I also realise that your question was actually aimed at > Christoph) > > Best regards to all, > MJ > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists Links: ------ [1] http://www.csmcalderaria.com.br [2] http://www.csmcalderaria.com.br/ -- users@sogo.nu https://inverse.ca/sogo/lists