Re: [SOGo] end user passwd change in /SOGo

2017-02-01 Thread Alexandre Zuotoski Neto 
Hello everyone! 

That would be great if the option to change password could work with
Microsoft Active Directory. I tried all tips that was suggested in the
last few mails, but none worked, I always end up with "Forbidden" and a
popup saying "Unhandled error response". 

I guess that it is not possible to write in Microsoft AD, except
using some kind of paid protocol. I'm just wondering here, of course.  

Note that I am running SOGo under a Ubuntu 14.04 TLS, that connects
to Microsoft AD to authenticate. The authentication works perfectly, but
the change password doesn't. 

Cheers,

---

 [1] 
ALEX ZUOTOSKI
Tecnologia da Informação
Fones: +5541-3641-4250 / Ramal 229
E-mails: a...@csmcalderaria.com.br / t...@csmcalderaria.com.br 
 [1] 

http://www.csmcalderaria.com.br [2] 

Em 2017-01-31 18:30, Christoph Kreutzer escreveu:

> Hi Ralf, hi MJ, 
> 
> Thanks for the answers up to now! 
> 
> According to the docs [1] there is the following option for LDAP user 
> sources: 
> 
> bindAsCurrentUser 
> 
> If set to YES, SOGo will always keep binding to the LDAP server using the DN 
> of the currently authenticated user. If _bindFields_ is set, _bindDN_ and 
> _bindPassword_ will still be required to find the proper DN of the user. 
> 
> In this case the user should be able to change it's own password via SOGo. 
> For this to work, you either need bindFields set (for looking up the users 
> DN) or IDFieldName (the attribute which builds the users' DN (like 
> IDFieldName=, baseDN). 
> 
> MJ, I don't know if that works in combination with SAML - since SOGo 
> shouldn't know the users password, it probably binds using the given bindDN, 
> which then would need the rights to change other users passwords. 
> 
> Ralf, I'm not sure what you're looking for. If you need a frontend for 
> password self service, I would either go with the SOGo functionality built 
> in, or with the already named LAM. In my use case I have an existing user 
> management via a Zend Framework application, which allows that similarly to 
> LAM (we use an admin user to set userPassword, setting a custom built 
> crypt-hash using SHA512 with a nice number of rounds - should work with most 
> Linux distros [2]). 
> If you're asking regarding OpenLDAP ACLs to allow a user to change it's own 
> password, you would find that here: [3] 
> I don't really know much about the SOGo features itself, since I'm using SAML 
> auth. 
> 
> Regards, 
> Christoph 
> 
> [1] 
> https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap
>  
> [2] https://en.m.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems 
> [3] http://www.openldap.org/lists/openldap-software/200212/msg00518.html
> 
> Am 31.01.2017 um 14:52 schrieb lists (li...@merit.unu.edu) :
> 
> Hi
> 
> we are looking for a password change machanism for openldap. Can you please 
> share your knowledge re. this? In active directory, end users are allowed to 
> change their own passwords by default. This does require that the connection 
> is make over ldapS.
> 
> There is a tool called ldap-account-manager (lam) that we used in the past. 
> It included an end-user password change portal.
> (https://www.ldap-account-manager.org/)
> 
> We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that 
> will prompt users to change their ldap passwords as well, if they have 
> expired.
> (http://www.keycloak.org/)
> 
> And you're right: Perhaps better to take this offlist if you have more 
> questions. (and yes, I also realise that your question was actually aimed at 
> Christoph)
> 
> Best regards to all,
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists

-- 
users@sogo.nu
https://inverse.ca/sogo/lists 

Links:
--
[1] http://www.csmcalderaria.com.br
[2] http://www.csmcalderaria.com.br/
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

2017-02-01 Thread mj 



On 01/31/2017 09:30 PM, Christoph Kreutzer 
(kreutzer.christ...@gmail.com) wrote:


MJ, I don't know if that works in combination with SAML - since SOGo
shouldn't know the users password, it probably binds using the given
bindDN, which then would need the rights to change other users passwords.


In our (keycloak) case, keycloak is able to change it for the user, so 
we will disable the functionality in SOGo.


MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

2017-01-31 Thread Christoph Kreutzer 
Hi Ralf, hi MJ,

Thanks for the answers up to now!

According to the docs [1] there is the following option for LDAP user sources:

bindAsCurrentUser
If set to YES, SOGo will always keep binding to the LDAP server using the DN of 
the currently authenticated user. If bindFields is set, bindDN and bindPassword 
will still be required to find the proper DN of the user.

In this case the user should be able to change it's own password via SOGo.
For this to work, you either need bindFields set (for looking up the users DN) 
or IDFieldName (the attribute which builds the users' DN (like 
IDFieldName=, baseDN).

MJ, I don't know if that works in combination with SAML - since SOGo shouldn't 
know the users password, it probably binds using the given bindDN, which then 
would need the rights to change other users passwords.

Ralf, I'm not sure what you're looking for. If you need a frontend for password 
self service, I would either go with the SOGo functionality built in, or with 
the already named LAM. In my use case I have an existing user management via a 
Zend Framework application, which allows that similarly to LAM (we use an admin 
user to set userPassword, setting a custom built crypt-hash using SHA512 with a 
nice number of rounds - should work with most Linux distros [2]).
If you're asking regarding OpenLDAP ACLs to allow a user to change it's own 
password, you would find that here: [3]
I don't really know much about the SOGo features itself, since I'm using SAML 
auth.

Regards,
Christoph

[1] 
https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap
[2] https://en.m.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems
[3] http://www.openldap.org/lists/openldap-software/200212/msg00518.html

> Am 31.01.2017 um 14:52 schrieb lists (li...@merit.unu.edu) :
> 
> Hi
> 
>> we are looking for a password change machanism for openldap. Can you
>> please share your knowledge re. this?
> In active directory, end users are allowed to change their own passwords by 
> default. This does require that the connection is make over ldapS.
> 
> There is a tool called ldap-account-manager (lam) that we used in the past. 
> It included an end-user password change portal.
> (https://www.ldap-account-manager.org/)
> 
> We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that 
> will prompt users to change their ldap passwords as well, if they have 
> expired.
> (http://www.keycloak.org/)
> 
> And you're right: Perhaps better to take this offlist if you have more 
> questions. (and yes, I also realise that your question was actually aimed at 
> Christoph)
> 
> Best regards to all,
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

RE: [SOGo] end user passwd change in /SOGo

2017-01-31 Thread Roland Wolters 
Hi,

> > we are looking for a password change machanism for openldap. Can you
> > please share your knowledge re. this?
> In active directory, end users are allowed to change their own passwords 
> by default. This does require that the connection is make over ldapS.
> 
another tool worth a look is FreeIPA: https://www.freeipa.org
However, it is focused on user management, and thus does not allow arbitrary 
LDAP schemes but requires certain user parameters.

Cheers,

Roland

-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

2017-01-31 Thread lists 

Hi


we are looking for a password change machanism for openldap. Can you
please share your knowledge re. this?
In active directory, end users are allowed to change their own passwords 
by default. This does require that the connection is make over ldapS.


There is a tool called ldap-account-manager (lam) that we used in the 
past. It included an end-user password change portal.

(https://www.ldap-account-manager.org/)

We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) 
that will prompt users to change their ldap passwords as well, if they 
have expired.

(http://www.keycloak.org/)

And you're right: Perhaps better to take this offlist if you have more 
questions. (and yes, I also realise that your question was actually 
aimed at Christoph)


Best regards to all,
MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

2017-01-31 Thread Ralf Cirksena 
Hi Christoph,

On Mon, Jan 30, 2017 at 03:51:27PM +0100 you wrote:

> haven't checked that, but when not using User binding but giving a bind dn, 
> probably the bind User is used for this action. Probably you can check that 
> in the AD logs.
> Also, you can probably give the user only the right to modify the 
> userPassword attribute - at least in openldap that's possible.

we are looking for a password change machanism for openldap. Can you
please share your knowledge re. this?

It's not strictly related to SOGo. Therefore you may reply by personal
email.

Thank you.


Regards
-- 
R. Cirksena 
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

Re: [SOGo] end user passwd change in /SOGo

2017-01-30 Thread Christoph Kreutzer 
Hi MJ,

haven't checked that, but when not using User binding but giving a bind dn, 
probably the bind User is used for this action. Probably you can check that in 
the AD logs.
Also, you can probably give the user only the right to modify the userPassword 
attribute - at least in openldap that's possible.

Regards,
Christoph

> Am 30.01.2017 um 13:27 schrieb lists (li...@merit.unu.edu) :
> 
> Hi,
> 
> To support end-user password change using /SOGo, is it required that the 
> bindDN from sogo.conf has admin permissions in active directory?
> 
> Or are the changes done under the credentials of the currently /SOGo logged 
> on user, and without the need for admin permissions in AD?
> 
> MJ
> -- 
> users@sogo.nu
> https://inverse.ca/sogo/lists
-- 
users@sogo.nu
https://inverse.ca/sogo/lists

[SOGo] end user passwd change in /SOGo

2017-01-30 Thread lists 

Hi,

To support end-user password change using /SOGo, is it required that the 
bindDN from sogo.conf has admin permissions in active directory?


Or are the changes done under the credentials of the currently /SOGo 
logged on user, and without the need for admin permissions in AD?


MJ
--
users@sogo.nu
https://inverse.ca/sogo/lists