hi, this is strange because there is no real change between 0.3 and 0.4 for the password change. Do you have some logs on AD side ?
2010/8/4, Paul Cherbonneau <[email protected]>: > Hi there, > > Thank you for your answers, > we have previous problems with AD 2008 Standard password policy and > constraints. > > Now, we correct some AD group Policy Objects from the AD account > strategy. (ie : Minimum life-time for a password, password complexity > constraints, Password length...). > > We try the parameters below and with your 0.3 version, it seems to > work correctly with any user/admin account of the AD 2008 server. > > /usr/share/self-service-password-0-3/config.inc.php > > # 0.3 Configuration > > # LDAP > $ldap_url = "ldaps://192.168.220.30:636"; > $ldap_binddn = "cn=Administrateur,cn=Users,dc=ixdark-alpha,dc=corp"; > $ldap_bindpw = "xxx"; > $ldap_base = "DC=ixdark-alpha,DC=corp"; > > $ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))"; > > # Active Directory mode > # true: use unicodePwd as password field > # false: LDAPv3 standard behavior > $ad_mode = true; > > # Who changes the password? > # user: the user itself > # manager: the above binddn > $who_change_password = "manager"; > > # Language > $lang ="fr"; > > # Debug mode > $debug = true; > > The main problem we have with 0.3 is the fact that we cannot turn on > the "who_change_password" switch to "user" the following error code 50 > appear on the /var/log/apache2/ssp_error.log file : > > LDAP - Modify password error 50 (Insufficient access), referer: > http://192.168.220.176/2/ > > > > ----- > > > On the 0.4 version side, we keep getting the same errors messages : > > /usr/share/self-service-password-0-4/config.inc.php > > # 0.4 Configuration > > # LDAP > > $ldap_url = "ldaps://192.168.220.30:636"; > $ldap_binddn = "cn=Administrateur,cn=Users,dc=ixdark-alpha,dc=corp"; > $ldap_bindpw = "xxx"; > $ldap_base = "DC=ixdark-alpha,DC=corp"; > > $ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))"; > > # Active Directory mode > # true: use unicodePwd as password field > # false: LDAPv3 standard behavior > $ad_mode = true; > > # Who changes the password? > # Also applicable for question/answer save > # user: the user itself > # manager: the above binddn > $who_change_password = "manager"; > > # Language > $lang ="fr"; > > # Debug mode > $debug = true; > > > Here is our errors (/var/log/apache2/ssp_error.log) depending on the > who_change_password switch we choose : > > $who_change_password = "user"; > > LDAP - Modify password error 50 (Insufficient access), referer: > http://192.168.220.176/ > > $who_change_password = "manager"; > > LDAP - Modify password error 53 (Server is unwilling to perform), > referer: http://192.168.220.176/ > > > # The content of the file /etc/ldap/ldap.conf : > > BASE dc=ixdark-alpha,dc=corp > URI ldaps://192.168.220.30 > > TLS_REQCERT never > > > > To summarize, we have : > > SSP 0.3 : > > $who_change_password = "user"; = Not Working (error code 50) > $who_change_password = "managerr"; = Working !! > > SSP 0.4 : > > $who_change_password = "user"; = Not Working (error code 50) > $who_change_password = "manager"; = Not Working (error code 53) > > Did you have any ideas about the way to get rid of theese errors ? > > We hope that our problems can help you to improve your software. > > Best Regards > > Paul Cherbonneau > > Le 4 août 10 à 17:50, Clément OUDOT a écrit : > >> Hi, >> >> indeed,if the password is refused by AD, this can be due to : >> * insuffisent privileges of LDAP user >> * insuffiisent strength of the password >> >> SSP works with AD 2003, never tested with 2008. >> >> Clément. >> >> 2010/8/4, Thomas Chemineau <[email protected]>: >>> Le 4 août 2010 12:31, Cédric Lemarchand >>> <[email protected]> a >>> écrit : >>>> >>>>>> Hi, >>>>>> >>>>>> Can your debien server contact your AD (telnet on port 636) ? >>>>>> By the way, you have to install ssl extention on AD to get a valid >>>>>> certificate. >>>>>> >>>>>> Thomas. >>>>>> >>>>>> -- >>>>>> Thomas Chemineau >>>>>> >>>> Thx for your reply Thomas. >>>> Yes the LDAPS port is reachable on both server : >>>> >>>> lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.32 >>>> >>>> Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST >>>> Interesting ports on 192.168.220.32: >>>> PORT STATE SERVICE >>>> 636/tcp open ldapssl >>>> MAC Address: 52:54:00:25:A0:DA (QEMU Virtual NIC) >>>> >>>> Nmap done: 1 IP address (1 host up) scanned in 0.169 seconds >>>> lenny:/usr/share/self-service-password# nmap -p 636 192.168.220.30 >>>> >>>> Starting Nmap 4.62 ( http://nmap.org ) at 2010-08-04 12:21 CEST >>>> Interesting ports on 192.168.220.30: >>>> PORT STATE SERVICE >>>> 636/tcp open ldapssl >>>> MAC Address: 54:52:00:A1:A5:25 (Unknown) >>>> >>>> Nmap done: 1 IP address (1 host up) scanned in 0.098 seconds >>>> >>>> >>>> For information, they are 2 Active Directory 2008 Domain Controller >>>> (only used for lab tests), the .30 are has master FFSMO roles, .32 >>>> is a >>>> second Domain Controller for the same domain, both run Windows >>>> 2008 R2, >>>> on the same network segment. >>>> >>>> We have tried on the .30, with the same results, but normally each >>>> domain controllers can modified objects in the ldap tree. >>>> >>>> Do you know if the soft has been already tested on a windows active >>>> directory domain controller ? >>>> >>>>> Hum, by reading the error, it seems that your AD returns a referer. >>>>> Are you sure SSP binds on the good AD ? >>>> What do you mean by 'the good ad' ? >>>> >>>>> Thomas. >>>>> >>>> >>> >>> My apologies, I do not read carefully the log (there is no referer >>> returned by your AD). >>> >>> In fact, the LDAP operation SSP wants to apply is not accepted by AD >>> (return code 53). There are many reason for that. >>> >>> Concerning permissions, I read that the account used by SSP should >>> have reset permission: >>> >>> "The permissions you need depend on the type of password mod you >>> do. Replace >>> LDAP operation is equiv to an admin reset, so you must have admin >>> reset >>> permissions to do that. Delete and Add operation with delete >>> containing >>> previous password is the equiv of password change. Typically all >>> users have >>> that unless they've been denied change pwd via ACL as above. " >>> >>> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.adsi.general&tid=812fc4a8-4f7a-49bf-8b37-59368e67cc1a&cat=&lang=&cr=&sloc=&p=1 >>> >>> Finaly, I'm not sure SSP has been tested on AD 2008 before. >>> >>> Did you try to use SSP on a 2003 server ? >>> >>> Thomas. >>> >>> -- >>> Thomas Chemineau >>> _______________________________________________ >>> ltb-users mailing list >>> [email protected] >>> http://lists.ltb-project.org/listinfo/ltb-users >>> >> _______________________________________________ >> ltb-users mailing list >> [email protected] >> http://lists.ltb-project.org/listinfo/ltb-users > > _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
