Clement - I sincerely appreciate your help on this! Unfortunately if SSP gives a generic "Password was refused by the LDAP directory" if any of the LDAP restrictions are triggered I'm not going to be able to use LDAP password restrictions. My end users absolutely need specific error messages, or they get REALLY ornery :D I'm guessing that LDAP doesn't provide SSP with any more information other than "REFUSED!".
What I'm going to do is set up a GPO to prevent users from changing their passwords thru windows. Then I'm going to turn off the LDAP password restrictions entirely. Then I'm going to add a bit into the SSP code that will track how frequently each user has changed their password and throw an error if they have changed their password within the last X days. This way the end user knows exactly why their password change failed, and I could even provide them with the date they can change their password again in the error msg. Taylor On Thu, Aug 31, 2017 at 3:21 AM, Clément OUDOT < clement.ou...@savoirfairelinux.com> wrote: > > > Le 30/08/2017 à 19:55, Taylor Hammerling a écrit : > > Thanks for the reply! > > I do have SSP setup in AD mode. > > When I try to set the $who_change_password to "user" no one can change > their password. SSP just fires back "Password was refused by the LDAP > directory" > > If I set the $who_change_password to manager, and the ldap_binddn is set > to a service account user "ssp" who is delegated the following active > directory rights (on Descendant User Objects) on the OU that houses all our > users. > > Read pwdLastSet > Write pwdLastSet > Read lockoutTime > Write lockoutTime > Change Password > Reset Password > > Then passwords can be changed, but it ignores the minimum password age I > set in Samba4. I tried removing the "Reset Password" delegation (because > that's just like what an administrator would do, and I thought it might be > bypassing the password policies) however when I did that I received the > same "Password was refused by the LDAP directory" > as when setting the who change password variable to "user". > > > > Well, if the password is refused by LDAP directory, it is maybe because > the directory password policy works. Did you check that a user can change > its own password? If yes, are you able to do it outside SSP? > > > -- > Clément OUDOT > Consultant en logiciels libres, Expert infrastructure et sécurité > Savoir-faire Linux > 137 boulevard de Magenta - 75010 PARIS > Blog: http://sflx.ca/coudot > > > _______________________________________________ > ltb-users mailing list > ltb-users@lists.ltb-project.org > https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users > -- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
_______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
