Zentyal Forum, Linux Small Business Server

Zentyal Server => Directory and Authentication => Topic started by: namodev on September 23, 2017, 03:06:27 pm

Title: LDAP "Domain Administrators" cannot modify any data
Post by: namodev on September 23, 2017, 03:06:27 pm

So I've set up a new installation of the Zentyal 5 (5.0.9) directory server, and everything has been working fine so far.

Now, I want to build a simple PHP webpage that will allow the user to change their own password. I snagged my old code (which worked fine with OpenLDAP), put in the administrator credentials for binding (created a new user and assigned the built-in groups "Domain Admins" and "Schema Admins" to that user), and tested it out.

Turns out the password update part of the code (ldapmodify) cannot really modify anything, with it throwing out the error "50 - Insufficient access". Now I'm really confused on what to try next, because the account used should be an admin account with permission to change just about anything already.

Any ideas? Thanks!

Title: Re: LDAP "Domain Administrators" cannot modify any data
Post by: BerT666 on September 24, 2017, 01:21:50 am

Hi,

do you get any hint in the syslog / samba logs?

BTW: 5.0.9 seems to have some problems (see https://forum.zentyal.org/index.php/topic,31628.msg107317.html#msg107317)

Regards

Thomas

Title: Re: LDAP "Domain Administrators" cannot modify any data
Post by: namodev on September 24, 2017, 04:13:50 pm

This is what I'm getting in the Samba log (with log level set to 10 in smb.conf). It appears that the user is successfully matched and authenticated, but I can't seem to get the "permissions" logged:

Code: [Select]

[2017/09/24 10:09:59.888122,  3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[ldap_admin_binder_01]@[(null)]
  auth_check_password_send: mapped user is: [MYDOMAIN]\[ldap_admin_binder_01]@[(null)]
 
[2017/09/24 10:09:59.927131,  3] ../source4/auth/ntlm/auth.c:271(auth_check_password_send)
  auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[testuser]@[(null)]
  auth_check_password_send: mapped user is: [MYDOMAIN]\[testuser]@[(null)]

[2017/09/24 10:09:59.939212,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'

[2017/09/24 10:09:59.939263,  3] ../source4/smbd/process_single.c:114(single_terminate)
  single_terminate: reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]



Title: Re: LDAP "Domain Administrators" cannot modify any data
Post by: lalpi on September 27, 2017, 02:18:52 am

afaik the unicodePwd attribute can only be set (to change user password in Active Directory) via operations performed using LDAPS (port 636) and it doesn't work over LDAP (port 389)

https://msdn.microsoft.com/en-us/library/aa746487(v=vs.85).aspx
http://ldapwiki.com/wiki/Set%20Active%20Directory%20Password%20From%20Java