2011/9/28 Sumit Khanna <[email protected]>: > Hey there, > > I'm currently trying to use the ltb password self service with an > Active Directory domain. I have LDAPs working on AD and it can connect > using my manager user, but the managed user doesn't have permissions > to change a user's passwords. > > I have a services OU and within it I made an account called sys_pss. I > then right clicked on the People OU > delegate control. I selected my > sys_pss user and added "Reset user password anf force password change > at next logon" and "Read all user information." > > However when I attempt to change the password, I keep getting > "Password was refused by the LDAP directory" and the following in the > logs: > > [Wed Sep 28 15:44:36 2011] [error] [client 192.168.99.34] LDAP - > Modify password error 50 (Insufficient access), referer: > https://secure.exmaple.com > > I know it's using the manager user because if I put an incorrect > password in the config php file, I get "Bind error 49." > > I have $ad_mode set to true and $who_change_password = "manager"; > > If I type in the wrong password for the old password, I do get an > invalid password, so I know it's binding and authenticating correctly > as the user. What permissions do I need to give to sys_pss in AD so it > can modify user's passwords?
Hi, I am not an Active Directory expert. All I can say, is that password change will work with an account with domain administration rights. Of course this may be a little wide... Let us know if you find the minimal rights for SSP to work with AD. Clément. _______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
