[SOLVED- almost] AD as the Account provider - changing user password

Hi syntaxerrormmm,

Thank you very much for your reply.

No problem for admin to login to Server Manager.

Standard users cannot login to Server Manager as they don’t know their new AD passwords.
If they use their old password, they get: “Invalid credentials”

The AD installation have changed: uid, gid, password, shell and I don’t know what else.

Before AD installation:

# cd /var/lib/nethserver/home/

#  getent passwd *
michelandre@micronator-dev.org:*:1001:1000:Michel-Andre:/var/lib/nethserver/home/michelandre:/bin/bash
titi@micronator-dev.org:*:1003:1000:Titi Deuxime:/var/lib/nethserver/home/titi:/bin/bash
toto@micronator-dev.org:*:1002:1000:Toto Premier:/var/lib/nethserver/home/toto:/bin/bash
#

After AD installation:
I enabled “Remote shell” and gave password to user admin and only to the standard user toto.

# cd /var/lib/nethserver/home/

# getent passwd *
admin@micronator-dev.org:*:1268801105:1268800513:admin:/var/lib/nethserver/home/admin:/bin/bash
michelandre@micronator-dev.org:*:1268801107:1268800513:michelandre:/var/lib/nethserver/home/michelandre:/usr/libexec/openssh/sftp-server
titi@micronator-dev.org:*:1268801106:1268800513:titi:/var/lib/nethserver/home/titi:/usr/libexec/openssh/sftp-server
toto@micronator-dev.org:*:1268801108:1268800513:toto:/var/lib/nethserver/home/toto:/bin/bash
#

Only user toto can login to Server Manager and change his password because I gave him a new one. michelandre and titi can not do that.

Michel-André

Sorry, I misread your post.

Which standard user are you referring to? IMHO, the only users which should exists are the ones from an Account Provider (LDAP or AD-compatibile SMB domain controller). Other local users are possible (created for example with useradd), but their use should be limited to a very few cases (e.g. system users for other services).

If you want to provide AD user access to your server, you should create the users inside AD and then assign them the SSH privilege.

Hi syntaxerrormmm,

I imported users created in LDAP:

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users  /var/lib/nethserver/backup/users.tsv
[INFO] imported titi as titi@micronator-dev.org
[ERROR] Account `admin` user-create event failed.
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
#

“[ERROR] Account admin user-create event failed” is normal as this user existed before.

I imported groups created in LDAP:

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups  /var/lib/nethserver/backup/groups.tsv
[INFO] imported 'grp-utilisateurs' with members 'titi toto'
[ERROR] Account `domain admins` group-create event failed.
#support

“[ERROR] Account domain admins group-create event failed” is normal as this group existed before.

If I create a new user in Server Manager, all is working fine for him. He can even login to a station that have joined the domain.

Michel-André

The LDAP passwords are stored encrypted so there’s no way to migrate without using bad methods like storing the passwords in clear text.

SSP provides different password reset methods:

• SMS
• Questions: You may use ssp some time before the migration to let users enter their answers to the questions so they could reset their password by answering a question after the migration.
• Mail: If the users got mail accounts not managed by Nethserver, they could reset their password by email

Phone numbers, answers or mail addresses have to be migrated from LDAP (ldapsearch) to samba (ldbmodify).
phpldapadmin or LAM support LDAP import/export but I never tested.

Hi Markus,

It’s been a few days that I am googling to find a way but to no avail.

I think the best method is what you wrote:

Thank you very much,

Michel-André

Hi again Markus,

I installed ssp, quite a nice module.

All is working fine, I can change the password with no problem.

Action: /etc/e-smith/events/password-modify/S30nethserver-directory-password-set SUCCESS [0.213808]

But I cannot “save” the response to the question: “Your answer has not been registered”

image.png1127×451 105 KB

Any suggestion,

Michel-André

Maybe the attribute or objectclass setting is wrong.

Maybe an LDAP permission problem. You could try to use libuser (has write permissions) as manager user in ssp.

The data will be written by the user or by the manager, depending on $who_change_password parameter.

Hi Markus,

You are right on, again…

DEFAULT: $who_change_password = “user”;
NEW for Questions: $who_change_password = “manager”;

Registering answer:

image.jpg1161×219 90.4 KB

Changing password with answer to the question only:

image.jpg1161×219 89.9 KB

I didn’t see that page before:
https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html.

Now, my next tests will be:

1. Email to users.
2. Captcha: to be more secure.
3. AD: Do I have to change something to have it working under Active Directory?
4. Encryption: I use https for the Web access with Let’s Encrypt certificate. All is working correctly. But, I saw somewhere that it was better to use encryption to secure LDAP.

I will make my tests and let you know the results.

Again, thank you so much Markus…

Michel-André

You’re welcome.

You need to change ssp config, see ssp docs and maybe set permission to change passwords.

For questions working you need to change from LDAP extensibleObject.info field to AD comment.user.
If you want to migrate from LDAP and use questions you need to export/import those fields.

Hi Markus,

I installed rCaptcha and all is working corectly after I changed:
$ldap_filter = "user";
to
$ldap_filter = "(&(objectClass=person)(uid={login})(!(uid=admin)))";

Now, how can I change: $keyphrase and $ldap_bindpw.

Thank you in advance,

Michel-André

Hi all,

All is working correctly with SSP: questions, mail token and rCaptcha.

Next test is to check if it will work after changing the Accounts provider from LDAP to AD…

Michel-André

Hi Markus,

Any hints on how to do this?

Thank you in advance,

Michel-André

Maybe it can be done easily with phpldapadmin.
A script getting the values with ldapsearch and another one writing them to AD with ldbmodify should work in any case.

Hi Markus,

Thank you very much for your replies and great support.

I wrote a Bash script, using ldapsearch as you wrote in your last reply, to extract all the users parameters from LDAP. I used a limit of 100 lines for each user in case they have address, telephone number, etc…

The script creates a file.ldif containing all the modifications (4 lines + 1 empty separation line) for each user who has a Response to the Question.

Users:

admin
michelandre
titi
toto

file.ldif:

dn: cn=titi,cn=Users,dc=micronator-dev,dc=org
changetype: modify
replace: comment
comment: 3vUCANhORKoCmNyYboNlrNsUidgpCDerzuNNALlliGSreCPlZY2Zn7QOYuaVeFrXlSnJttzW

dn: cn=toto,cn=Users,dc=micronator-dev,dc=org
changetype: modify
replace: comment
comment: 3vUCAK6a0gBJ8diNXvMCKpkQlf/+vzdzI6lvimgr7M8kgxn5K2vwICv7YK33m5OqhmJED4M0

Users admin and michelandre are ignored because they don’t have a Response to the Question.

The next step is to follow Modify the SAMBA4 AD settings as you pointed out in your last reply:

I hope my syntax is correct in the file.ldif…

Again, thank you so much for your great support.

Michel-André

Hi all,

My syntax was not correct:

1. I have to add (") because micronator-dev contains (-).
2. I have to change replace: comment to add: comment as the users in AD have never entered a Question/Answer.

dn: cn=titi,cn=Users,dc="micronator-dev",dc=org
changetype: modify
add: comment
comment: 3vUCAPULyB1c1E1DTbxS38mX3gnmxRUGKvqqFWt5B+A+VXvCmccwqfzYrvyAXu4VYJpqFJHe

The link to Modify the SAMBA4 AD settings says:

• to put the file file.ldif in /var/lib/machines/nsdc/var/lib/samba/private/file.ldif and the command line specifies /var/lib/samba/private/file.ldif
• the command /usr/bin/ldbmodify is at: /var/lib/machines/nsdc/usr/bin/ldbmodify which I tought it was an error but it was not - the command /usr/bin/systemd-run tells to execute in the AD container because of the -M means Operate on local container and -H means Operate on remote host.

The original command:

/usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif

I took out the -q (quiet) to see more of the result.

# /usr/bin/systemd-run -M nsdc -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif
Running as unit run-3245.service.
Press ^] three times within 1s to disconnect TTY.
Modified 3 records successfully
#

The result was as expected in the howto.

Problem:
When the user titi wants to change his password using the Question/Answer, he gets: “Your answer is not correct”. I checked the original and it was correct.
He can change his password with the email token without problem.

I wll start all over and not crypting the answer to the question when using LDAP.

All suggestions appreciated.

Michel-André

Hi all,

Incredible, but without encryption of the Answer, it works perfectly.

LDAP and Active Directory encryption must be different or do they use different keys?

Someone could explain!

Michel-André

Did you use the same keyphrase for both LDAP and AD?

Did you base64decode the LDAP answers before importing to AD?

Hi Markus,

Thank you very much to continue to reply.

Maybe the problem is related to OpenLDAP ACLs as there are no output for those commands:

[root@tchana ~]# ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null
[root@tchana ~]#

[root@tchana ~]# ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'
[root@tchana ~]#

But in fstab, the “/” partition is using xfs and by default xfs uses ACL.

[root@tchana ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Fri Jan  4 14:13:25 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/VolGroup-lv_root /                       xfs     defaults        0 0
UUID=a7c532b2-51d2-419a-ab83-b87d08f8205a /boot                   xfs     defaults        0 0
/dev/mapper/VolGroup-lv_swap swap                    swap    defaults        0 0
[root@tchana ~]#

I rewrote a brand new config.inc.local.php file that I can use for both LDAP and AD.

• The general section is for both AD and LDAP
• I did a section for the AD parameters only and another one for LDAP only
• I just have to comment the AD section for LDAP and the LDAP section for AD.

Using LDAP, all is working correctly: Mail, QUESTION, rCaptcha, etc… I can change password with QUESTION, Mail, etc…

• I created a new file.ldif.

I did a user for AD delegation making sure I have selected all the properties as on:
https://ltb-project.org/documentation/self-service-password/latest/config_ldap?s[]=active&s[]=directory

I transfered without any error the file.ldif and integrated it in AD followig https://wiki.nethserver.org/doku.php?id=howto:useful_commands#modify_the_samba4_ad_settings

When I tried changing password with QUESTION I received. “Your answer is not correct”
I tried the other users, same output message.

I went in the NethServer GUI and changed the password for toto then all is working correctly: rCaptcha, password change on main page with old/new password, registering a question, changing password with QUESTION and mail, etc…
So this demonstrates that all is working fine with AD.

I will keep everything the same and create a new file.ldif without crypting to see if all will be working correctly.

I will let you know the result.

Again thank you very much for you support,

Michel-André

Hi Markus,

I started all over again. I installed a new Self Service Password.
I took a snapshot-1 of the VM.

$crypt_answers to false.

• All users choose a question/answer.

• All the users changed their password the standard way, with quetion/answer way, and with mail token. All was working fine.

• When still under LDAP, I made a script to generate the ldif file containing the users and their answers to their question.

I restored the original snapshot-1 and changed $crypt_answers to true.

• All users again choose the same question/answer which were encrypted by SSP.

• All the users were able to change their password the standard way, with question/answer way, and with mail token. All was working fine.

• I generated another ldif file, with a different name, containing the encrypted answers.

I restored the snapshot-1 of the VM.
I installled Active Directory as account provider.

• I imported the users and their groups.

• I adjusted recursively the user:group in the home directories.

• I commented the LDAP section of config.inc.local.php and added a section for AD.

I took a snapshot-2 of the VM.

$crypt_answers to false.

• I copied the ldif file (wihtout encryption).

• I run the command to import the content of the ldif file.

# /usr/bin/systemd-run -M nsdc                               \
                         -q                                  \
                         -t /usr/bin/ldbmodify               \
                         -H /var/lib/samba/private/sam.ldb   \
                         /var/lib/samba/private/file.ldif

Modified 3 records successfully
#

After the importation by the ldif file (without encryption), the users were able to choose a new password with their question the first time they use SSP. Then they were able to change their password the standard way, with question/answer way, and with mail token. All was working fine. I even had reCaptcha working perfectly.

I restored snapshot-2 of the VM.

$crypt_answers to true.

• I copied to the server the ldif file (with encryption) after changing its name to file.ldif.

• I run the command to import the content of the ldif file.

# /usr/bin/systemd-run -M nsdc                               \
                         -q                                  \
                         -t /usr/bin/ldbmodify               \
                         -H /var/lib/samba/private/sam.ldb   \
                         /var/lib/samba/private/file.ldif

Modified 3 records successfully
#

If a user tried to change its password with question, the first time he uses SSP, he recieved Your answer is not correct.
He cannot make a new question/answer or use mail token as he doesn’t know the new password AD generated for him.

With a crypted answer, AD doesn’t work…

There is nowhere to change the keyphrase to base64decode. Even if it was possible, it think it won’t change the result. The article you mentioned was about changing the mail passphrase for mail token. I didn’t find nothing for the question/answer.

Any more suggestions? If not, I will leave it without encryption and release the howto document later.

Michel-André

P.S.: I just found out (https://en.m.wikipedia.org/wiki/Base64) that Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.

It is not related to SSP or OpenLDAP but I think that both can use it. I will investigate a little bit more…

Hi all,

After googling for quite some time…

1. Because I cannot crypt the answer for compatibility with importing users/groups/passwords to Active Directory.

2. Because I tell Self Service Password to store the answer to the question into LDAP “info” attribute:

   $answer_attribute = “info”;

Then, the command to display all the question/answer stored by the user into LDAP

# ldapsearch -Y EXTERNAL | grep -e "# " -e info:
...
# toto , People, directory.nh   
info: {car}Toyota
...

I would like to protect the attribute “info” with ACL.

access to attrs=info
   by self write
   by "cn=libuser,dc=directory,dc=nh" write
   by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write
   by anonymous none

• self will be able to write (meaning read and write)
• libuser, the almighty, will be able to write
• group “domain admins” will be able to write (so not to paint myself in the corner)
• anonymous will not even be able to read it

1. Copy /etc/e-smith/templates/etc/openldap/ldap.conf/10default to a custom template.
2. Add the above into the custom template.
3. expand.
4. restart openldap.

Questions:
Do I have to add “manager” to the ACL?
Is that a good way to do it?
Is there a better way?

This is the last problem to finish the documentations about changing Account provider from LDAP to Active Directory with Self Service Password (to be able for the users, after importation, to change the password created by AD after its installation - imagine I have hundreds/thousands of users)…

Absolutely all suggestions appreciated,

Michel-André