Samba4: Changing a user's passwd via LDAP
Lukasz Zalewski
lukas at dcs.qmul.ac.uk
Fri Aug 20 07:42:11 MDT 2010
On 08/20/2010 12:57 PM, Michael Wood wrote:
> Hi
>
> I need to provide a web-based interface for users to change their
> passwords in Samba4. Is LDAP the best option?
>
> Should the following work?
>
> http://support.microsoft.com/kb/269190
>
> I tried using ldapmodify with the following ldif:
>
> dn: CN=user,CN=Users,DC=my,DC=realm
> changetype: modify
> add: unicodePwd
> unicodePwd: "NewPassword"
> -
> delete: unicodePwd
> unicodePwd: "OldPassword"
> -
>
> Whether I use simple authentication with "ldapmodify -x -D
> CN=user,CN=Users,DC=my,DC=realm -W ..." or first run "kinit user" and
> then use "ldapmodify -Y gssapi ..." I get the following error:
>
> modifying entry "CN=user,CN=Users,DC=my,DC=realm"
> ldap_modify: Insufficient access (50)
> additional info: 00002098: insufficient access rights - error in
> module acl: insufficient access rights (50)
>
> but perhaps that's not equivalent to the code in the KB article?
>
> I would appreciate any suggestions for how to do this, preferably from
> Python, or if LDAP is not the best way, then I would appreciate it if
> you could let me know what the best way is.
>
> I also tried "net password change", but was having trouble getting that to work.
>
> I'm currently running "Version 4.0.0alpha12-GIT-6d97360" but I might
> upgrade/reprovision soon.
>
> Thanks in advance.
>
Hi Michael,
You might want to have a look at
http://msdn.microsoft.com/en-us/library/cc223248%28v=PROT.10%29.aspx
I have managed to set the password using ldap interface as an admin user
and as normal user. Attached is proof-of-concept python script that
allows you to do the password change as an admin
(--set_password_asadmin) or as a user (--set_password_asuser)
the script assumes that you have got the appropriate krb ticket before
its run
However i have noticed a strange thing. using the included script with
kinit user1 at mydomain
i have managed to change the password for userb - again it requires to
know the userb old password - is this intended behaviour?
Regards
Luk
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: manageAccount.py
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100820/475be4b4/attachment.ksh>
More information about the samba-technical
mailing list