And it works, LDAP with libuser and AD with a special user who only is allowed to change passwords (described here, search for rights to change password of users) but is no admin.
How to set the permission with Windows ADUC (The only way I found, samba-tool seems to not support it):
I changed the config template in a previous post to reflect the changes.
Additionaly I created a user ssp and created a file /var/lib/nethserver/secrets/ssp with the password of the ssp user. It would also be possible to give the “change password permission” to ldapservice so we don’t need an additional user.
If we want the token to work we need special users (libuser/ssp).
If we could manage to set the password changing permission in AD on command line somehow, we could write a random password to the file or use ldapservice and automate the whole process.
At least we won’t be able to do that with remote AD.