[Samba] Allow self password change using LDAP(s) with Samba4
Rowland penny
rpenny at samba.org
Wed Dec 30 15:39:40 UTC 2015
On 30/12/15 14:59, Juan Asensio Sánchez wrote:
> Hi all
>
> I am trying to create a webapp to allow users to change their own passwords
> in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify
> the user password using this code:
>
> dn: ........
> changetype: modify
> replace: unicodePwd
> unicodePwd: "Temporal2"
>
> I get this error:
>
> 0x32 (Insufficient access; error in module acl: insufficient access rights
> during LDB_MODIFY (50))
>
> If I change the code, deleting the old password, and adding the new one:
>
> dn: ........
> changetype: modify
> delete: unicodePwd
> unicodePwd: "Temporal1"
> -
> add: unicodePwd
> unicodePwd: "Temporal2"
>
> Then I get this error:
>
> #!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set
> the NT hash password directly']
>
> The ldapmodify are executed using the self user credentials, i wouldn't
> like to use the administrator account. Is this possible? Do I have to
> change some settings in Samba4?
That is not going to work :-)
You need to do something like this:
_USER_PW="Temporal2"
UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE |
base64 -w 0)
USERLDIF="dn: .................
changetype: modify
replace: unicodePwd
unicodePwd::$UNICODEPWD"
echo "$USERLDIF" | ldbmodify -H /usr/local/samba/private/sam.ldb
Rowland
More information about the samba
mailing list