I am trying to create a webapp to allow users to change their own passwords in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify the user password using this code:
dn: ........
changetype: modify
replace: unicodePwd
unicodePwd: "Temporal2"
I get this error:
0x32 (Insufficient access; error in module acl: insufficient access rights during LDB_MODIFY (50))
If I change the code, deleting the old password, and adding the new one:
dn: ........
changetype: modify
delete: unicodePwd
unicodePwd: "Temporal1"
-
add: unicodePwd
unicodePwd: "Temporal2"
Then I get this error:
#!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set the NT hash password directly']
The ldapmodify are executed using the self user credentials, i wouldn't like to use the administrator account. Is this possible? Do I have to change some settings in Samba4?
Best Answer
"unicodePwd" field or attribute can contains only password under unicode form and encoded with base64:
Password to set : MyNewPassw0rd Encoding this password to push it into "unicodePwd" attribute is done like this:
Note the simple quotes around double quotes: simple quotes are here for double quotes are not interpreted by shell. The string into unicodePwd must contain the password and the double quotes.
This command gives us:
Decoding that value:
This command gives us:
Applied to your example:
And so the new LDIF content is:
Note the double double dots after unicodePwd: that means data are base64 encoded.
Using LDIF through ldapmodify is now working here to modify any user password when ldapmodify is run using identity of a specific user to whom we delegated rights to modify all users.
As long as I was trying to use "replace: unicodePwd" as in the following LDIF I received an error about insufficient rights.
Using two actions ("delete: unicodePwd" then "add: unicodePwd") insufficient rights issue disappeared. Thank you : )
Cheers,
mathias