Author Topic: LDAP "Domain Administrators" cannot modify any data  (Read 1309 times)

namodev

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
LDAP "Domain Administrators" cannot modify any data
« on: September 23, 2017, 03:06:27 pm »
So I've set up a new installation of the Zentyal 5 (5.0.9) directory server, and everything has been working fine so far.

Now, I want to build a simple PHP webpage that will allow the user to change their own password. I snagged my old code (which worked fine with OpenLDAP), put in the administrator credentials for binding (created a new user and assigned the built-in groups "Domain Admins" and "Schema Admins" to that user), and tested it out.

Turns out the password update part of the code (ldapmodify) cannot really modify anything, with it throwing out the error "50 - Insufficient access". Now I'm really confused on what to try next, because the account used should be an admin account with permission to change just about anything already.

Any ideas? Thanks!

BerT666

  • Zen Warrior
  • ***
  • Posts: 228
  • Karma: +17/-0
    • View Profile
Re: LDAP "Domain Administrators" cannot modify any data
« Reply #1 on: September 24, 2017, 01:21:50 am »
Hi,

do you get any hint in the syslog / samba logs?

BTW: 5.0.9 seems to have some problems (see https://forum.zentyal.org/index.php/topic,31628.msg107317.html#msg107317)

Regards

Thomas

namodev

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: LDAP "Domain Administrators" cannot modify any data
« Reply #2 on: September 24, 2017, 04:13:50 pm »
This is what I'm getting in the Samba log (with log level set to 10 in smb.conf). It appears that the user is successfully matched and authenticated, but I can't seem to get the "permissions" logged:

Code: [Select]
[2017/09/24 10:09:59.888122,  3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[ldap_admin_binder_01]@[(null)]
  auth_check_password_send: mapped user is: [MYDOMAIN]\[ldap_admin_binder_01]@[(null)]
 
[2017/09/24 10:09:59.927131,  3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[testuser]@[(null)]
  auth_check_password_send: mapped user is: [MYDOMAIN]\[testuser]@[(null)]

[2017/09/24 10:09:59.939212,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

[2017/09/24 10:09:59.939263,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]


lalpi

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: LDAP "Domain Administrators" cannot modify any data
« Reply #3 on: September 27, 2017, 02:18:52 am »
afaik the unicodePwd attribute can only be set (to change user password in Active Directory) via operations performed using LDAPS (port 636) and it doesn't work over LDAP (port 389)

https://msdn.microsoft.com/en-us/library/aa746487(v=vs.85).aspx
http://ldapwiki.com/wiki/Set%20Active%20Directory%20Password%20From%20Java