Hi there, Thank you for your answers,we have previous problems with AD 2008 Standard password policy and constraints.
Now, we correct some AD group Policy Objects from the AD account strategy. (ie : Minimum life-time for a password, password complexity constraints, Password length...).
We try the parameters below and with your 0.3 version, it seems to work correctly with any user/admin account of the AD 2008 server.
/usr/share/self-service-password-0-3/config.inc.php
# 0.3 Configuration
# LDAP
$ldap_url = "ldaps://192.168.220.30:636";
$ldap_binddn = "cn=Administrateur,cn=Users,dc=ixdark-alpha,dc=corp";
$ldap_bindpw = "xxx";
$ldap_base = "DC=ixdark-alpha,DC=corp";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))";
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
# Who changes the password?
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";
# Language
$lang ="fr";
# Debug mode
$debug = true;
The main problem we have with 0.3 is the fact that we cannot turn on
the "who_change_password" switch to "user" the following error code 50
appear on the /var/log/apache2/ssp_error.log file :
LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.220.176/2/ ----- On the 0.4 version side, we keep getting the same errors messages : /usr/share/self-service-password-0-4/config.inc.php # 0.4 Configuration # LDAP $ldap_url = "ldaps://192.168.220.30:636"; $ldap_binddn = "cn=Administrateur,cn=Users,dc=ixdark-alpha,dc=corp"; $ldap_bindpw = "xxx"; $ldap_base = "DC=ixdark-alpha,DC=corp"; $ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))"; # Active Directory mode # true: use unicodePwd as password field # false: LDAPv3 standard behavior $ad_mode = true; # Who changes the password? # Also applicable for question/answer save # user: the user itself # manager: the above binddn $who_change_password = "manager"; # Language $lang ="fr"; # Debug mode $debug = true;Here is our errors (/var/log/apache2/ssp_error.log) depending on the who_change_password switch we choose :
$who_change_password = "user"; LDAP - Modify password error 50 (Insufficient access), referer: http://192.168.220.176/ $who_change_password = "manager";LDAP - Modify password error 53 (Server is unwilling to perform), referer: http://192.168.220.176/
# The content of the file /etc/ldap/ldap.conf : BASE dc=ixdark-alpha,dc=corp URI ldaps://192.168.220.30 TLS_REQCERT never To summarize, we have : SSP 0.3 : $who_change_password = "user"; = Not Working (error code 50) $who_change_password = "managerr"; = Working !! SSP 0.4 : $who_change_password = "user"; = Not Working (error code 50) $who_change_password = "manager"; = Not Working (error code 53) Did you have any ideas about the way to get rid of theese errors ? We hope that our problems can help you to improve your software. Best Regards Paul Cherbonneau Le 4 août 10 à 17:50, Clément OUDOT a écrit :
Hi, indeed,if the password is refused by AD, this can be due to : * insuffisent privileges of LDAP user * insuffiisent strength of the password SSP works with AD 2003, never tested with 2008. Clément. 2010/8/4, Thomas Chemineau <[email protected]>:Le 4 août 2010 12:31, Cédric Lemarchand <[email protected]> aécrit :Hi, Can your debien server contact your AD (telnet on port 636) ? By the way, you have to install ssl extention on AD to get a valid certificate. Thomas. -- Thomas ChemineauThx for your reply Thomas. Yes the LDAPS port is reachable on both server : lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.32 Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST Interesting ports on 192.168.220.32: PORT STATE SERVICE 636/tcp open ldapssl MAC Address: 52:54:00:25:A0:DA (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.169 seconds lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.30 Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST Interesting ports on 192.168.220.30: PORT STATE SERVICE 636/tcp open ldapssl MAC Address: 54:52:00:A1:A5:25 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.098 seconds For information, they are 2 Active Directory 2008 Domain Controller(only used for lab tests), the .30 are has master FFSMO roles, .32 is a second Domain Controller for the same domain, both run Windows 2008 R2,on the same network segment. We have tried on the .30, with the same results, but normally each domain controllers can modified objects in the ldap tree. Do you know if the soft has been already tested on a windows active directory domain controller ?Hum, by reading the error, it seems that your AD returns a referer. Are you sure SSP binds on the good AD ?What do you mean by 'the good ad' ?Thomas.My apologies, I do not read carefully the log (there is no referer returned by your AD). In fact, the LDAP operation SSP wants to apply is not accepted by AD (return code 53). There are many reason for that. Concerning permissions, I read that the account used by SSP should have reset permission:"The permissions you need depend on the type of password mod you do. Replace LDAP operation is equiv to an admin reset, so you must have admin reset permissions to do that. Delete and Add operation with delete containing previous password is the equiv of password change. Typically all users havethat unless they've been denied change pwd via ACL as above. " http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=812fc4a8-4f7a-49bf-8b37-59368e67cc1a&cat=&lang=&cr=&sloc=&p=1 Finaly, I'm not sure SSP has been tested on AD 2008 before. Did you try to use SSP on a 2003 server ? Thomas. -- Thomas Chemineau _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
