Hi.
I tried to change:
$who_change_password = "user";
to
$who_change_password = "manager";
and now I don't get "Password was refused by the LDAP directory" error
any more.
Seems like there are some access permissions in LDAP ... and this could
probably be the case for pwd history, too.
I'll ask on 389-ds irc/forum.
Best regards
Robert Ludvik
Dne 19. 09. 2014 ob 13:31 je Robert Ludvik zapisal(a):
Hi.
Thanks for a quick reply and sorry for confusion about pwd history -
this is another issue.
To achieve pwd history in the Samba world, I had to set up this with
pdbedit on our PDC:
# pdbedit -P "password history" -C 5
# pdbedit -P "password history"
account policy "password history" description: Length of Password
History Entries (default: 0 => off)
account policy "password history" value is: 5
And changing a password via Windows Ctrl-Alt-Del takes this into account:
http://snag.gy/GXp7I.jpg
If I enable pwd history on LDAP server and set it to 5, I can still
change password via LTB to the previous one. Like it doesn't take this
setting into account.
Our AD is actually PDC (Samba with LDAP backend).
userPassword and sambaNTPassword attributes are changed, when I change
password (either via Windows or LTB).
Is there a way to get more verbose error report from LDAP? ($errno =
ldap_errno($ldap);)
Regards
Dne 19. 09. 2014 ob 12:34 je Clément OUDOT zapisal(a):
2014-09-19 12:06 GMT+02:00 Robert Ludvik <robert.lud...@zd-lj.si
<mailto:robert.lud...@zd-lj.si>>:
Hi.
Hi,
I use LDAP server 389-ds, version 1.2 (http://www.port389.org/)
and Samba 3.
I set up LTB and it works fine - I can change userPassword as
well as Samba password.
Our security requests are that users should not reuse last 5
passwords. This cannot be set up with LTB, AFAIK, but should be
set in LDAP server.
Right, password history can be managed in LDAP server.
If I enable password syntax checking in 389-ds Admin console like
this:
http://snag.gy/aqdCn.jpg
Well, this has nothing to do with password history, you configured
here syntax checking.
the LTB continue to report "Password was refused by the LDAP
directory" even if I enter new password within these requests. I
found out it reports LDAP error 19:
LDAP_CONSTRAINT_VIOLATION
(Indicates that the attribute value specified in a modify, add,
or modify DN operation violates constraints placed on the
attribute. The constraint can be one of size or content (string
only, no binary).)
As you said, the LDAP server refuses the password.
But, I can change password via Windows Ctrl-Alt-Del -> Change
password.
I think the password is changed on AD, not on 389 server.
Can someone please help me with this /point to what could be wrong?
My LTB conf settings:
http://ur1.ca/i7omf
Sounds good.
Clément.
_______________________________________________
ltb-users mailing list
ltb-users@lists.ltb-project.org
http://lists.ltb-project.org/listinfo/ltb-users
