[SOLVED] AD as the Account provider - changing user password

Hi all,

When installing AD as the Account provider, all the passwords of the standard users are changed by the installation of AD.

How can a standard user change his password without admin intervention?

Michel-André

The simplest solution is asking the user to log on the Server Manager interface with his/her own credentials, then going in the Profile voice under the User menù on top right of the Server Manager, and from there he can change the password by him/herself.

Hi syntaxerrormmm,

Thank you very much for your reply.

No problem for admin to login to Server Manager.

Standard users cannot login to Server Manager as they don’t know their new AD passwords.
If they use their old password, they get: “Invalid credentials”

The AD installation have changed: uid, gid, password, shell and I don’t know what else.

Before AD installation:

# cd /var/lib/nethserver/home/

#  getent passwd *
michelandre@micronator-dev.org:*:1001:1000:Michel-Andre:/var/lib/nethserver/home/michelandre:/bin/bash
titi@micronator-dev.org:*:1003:1000:Titi Deuxime:/var/lib/nethserver/home/titi:/bin/bash
toto@micronator-dev.org:*:1002:1000:Toto Premier:/var/lib/nethserver/home/toto:/bin/bash
#

After AD installation:
I enabled “Remote shell” and gave password to user admin and only to the standard user toto.

# cd /var/lib/nethserver/home/

# getent passwd *
admin@micronator-dev.org:*:1268801105:1268800513:admin:/var/lib/nethserver/home/admin:/bin/bash
michelandre@micronator-dev.org:*:1268801107:1268800513:michelandre:/var/lib/nethserver/home/michelandre:/usr/libexec/openssh/sftp-server
titi@micronator-dev.org:*:1268801106:1268800513:titi:/var/lib/nethserver/home/titi:/usr/libexec/openssh/sftp-server
toto@micronator-dev.org:*:1268801108:1268800513:toto:/var/lib/nethserver/home/toto:/bin/bash
#

Only user toto can login to Server Manager and change his password because I gave him a new one. michelandre and titi can not do that.

Michel-André

Sorry, I misread your post.

Which standard user are you referring to? IMHO, the only users which should exists are the ones from an Account Provider (LDAP or AD-compatibile SMB domain controller). Other local users are possible (created for example with useradd), but their use should be limited to a very few cases (e.g. system users for other services).

If you want to provide AD user access to your server, you should create the users inside AD and then assign them the SSH privilege.

Hi syntaxerrormmm,

I imported users created in LDAP:

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_users  /var/lib/nethserver/backup/users.tsv
[INFO] imported titi as titi@micronator-dev.org
[ERROR] Account `admin` user-create event failed.
[INFO] imported michelandre as michelandre@micronator-dev.org
[INFO] imported toto as toto@micronator-dev.org
#

“[ERROR] Account admin user-create event failed” is normal as this user existed before.

I imported groups created in LDAP:

# /usr/share/doc/nethserver-sssd-1.4.8/scripts/import_groups  /var/lib/nethserver/backup/groups.tsv
[INFO] imported 'grp-utilisateurs' with members 'titi toto'
[ERROR] Account `domain admins` group-create event failed.
#support

“[ERROR] Account domain admins group-create event failed” is normal as this group existed before.

If I create a new user in Server Manager, all is working fine for him. He can even login to a station that have joined the domain.

Michel-André

The LDAP passwords are stored encrypted so there’s no way to migrate without using bad methods like storing the passwords in clear text.

SSP provides different password reset methods:

  • SMS
  • Questions: You may use ssp some time before the migration to let users enter their answers to the questions so they could reset their password by answering a question after the migration.
  • Mail: If the users got mail accounts not managed by Nethserver, they could reset their password by email

Phone numbers, answers or mail addresses have to be migrated from LDAP (ldapsearch) to samba (ldbmodify).
phpldapadmin or LAM support LDAP import/export but I never tested.

3 Likes

Hi Markus,

It’s been a few days that I am googling to find a way but to no avail.

I think the best method is what you wrote:

Thank you very much,

Michel-André

Hi again Markus,

I installed ssp, quite a nice module.

All is working fine, I can change the password with no problem.

Action: /etc/e-smith/events/password-modify/S30nethserver-directory-password-set SUCCESS [0.213808]

But I cannot “save” the response to the question: “Your answer has not been registered”

Any suggestion,

Michel-André

Maybe the attribute or objectclass setting is wrong.

Maybe an LDAP permission problem. You could try to use libuser (has write permissions) as manager user in ssp.

The data will be written by the user or by the manager, depending on $who_change_password parameter.

1 Like

Hi Markus,

You are right on, again…

DEFAULT: $who_change_password = “user”;
NEW for Questions: $who_change_password = “manager”;

Registering answer:

Changing password with answer to the question only:

I didn’t see that page before:
https://docs.nethserver.org/projects/nethserver-devel/en/latest/nethserver-directory.html.

Now, my next tests will be:

  1. Email to users.
  2. Captcha: to be more secure.
  3. AD: Do I have to change something to have it working under Active Directory?
  4. Encryption: I use https for the Web access with Let’s Encrypt certificate. All is working correctly. But, I saw somewhere that it was better to use encryption to secure LDAP.

I will make my tests and let you know the results.

Again, thank you so much Markus…

Michel-André

You’re welcome.

You need to change ssp config, see ssp docs and maybe set permission to change passwords.

For questions working you need to change from LDAP extensibleObject.info field to AD comment.user.
If you want to migrate from LDAP and use questions you need to export/import those fields.

Hi Markus,

I installed rCaptcha and all is working corectly after I changed:
$ldap_filter = "user";
to
$ldap_filter = "(&(objectClass=person)(uid={login})(!(uid=admin)))";

Now, how can I change: $keyphrase and $ldap_bindpw.

Thank you in advance,

Michel-André

1 Like

Hi all,

All is working correctly with SSP: questions, mail token and rCaptcha.

Next test is to check if it will work after changing the Accounts provider from LDAP to AD…

Michel-André

1 Like

Hi Markus,

Any hints on how to do this?

Thank you in advance,

Michel-André

Maybe it can be done easily with phpldapadmin.
A script getting the values with ldapsearch and another one writing them to AD with ldbmodify should work in any case.

1 Like

Hi Markus,

Thank you very much for your replies and great support.

I wrote a Bash script, using ldapsearch as you wrote in your last reply, to extract all the users parameters from LDAP. I used a limit of 100 lines for each user in case they have address, telephone number, etc…

The script creates a file.ldif containing all the modifications (4 lines + 1 empty separation line) for each user who has a Response to the Question.

Users:

admin
michelandre
titi
toto

file.ldif:

dn: cn=titi,cn=Users,dc=micronator-dev,dc=org
changetype: modify
replace: comment
comment: 3vUCANhORKoCmNyYboNlrNsUidgpCDerzuNNALlliGSreCPlZY2Zn7QOYuaVeFrXlSnJttzW

dn: cn=toto,cn=Users,dc=micronator-dev,dc=org
changetype: modify
replace: comment
comment: 3vUCAK6a0gBJ8diNXvMCKpkQlf/+vzdzI6lvimgr7M8kgxn5K2vwICv7YK33m5OqhmJED4M0

Users admin and michelandre are ignored because they don’t have a Response to the Question.

The next step is to follow Modify the SAMBA4 AD settings as you pointed out in your last reply:

I hope my syntax is correct in the file.ldif

Again, thank you so much for your great support.

Michel-André

1 Like

Hi all,

My syntax was not correct:

  1. I have to add (") because micronator-dev contains (-).
  2. I have to change replace: comment to add: comment as the users in AD have never entered a Question/Answer.
dn: cn=titi,cn=Users,dc="micronator-dev",dc=org
changetype: modify
add: comment
comment: 3vUCAPULyB1c1E1DTbxS38mX3gnmxRUGKvqqFWt5B+A+VXvCmccwqfzYrvyAXu4VYJpqFJHe

The link to Modify the SAMBA4 AD settings says:

  • to put the file file.ldif in /var/lib/machines/nsdc/var/lib/samba/private/file.ldif and the command line specifies /var/lib/samba/private/file.ldif
  • the command /usr/bin/ldbmodify is at: /var/lib/machines/nsdc/usr/bin/ldbmodify which I tought it was an error but it was not - the command /usr/bin/systemd-run tells to execute in the AD container because of the -M means Operate on local container and -H means Operate on remote host.

The original command:

/usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif

I took out the -q (quiet) to see more of the result.

# /usr/bin/systemd-run -M nsdc -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif
Running as unit run-3245.service.
Press ^] three times within 1s to disconnect TTY.
Modified 3 records successfully
#

The result was as expected in the howto.

Problem:
When the user titi wants to change his password using the Question/Answer, he gets: “Your answer is not correct”. I checked the original and it was correct.
He can change his password with the email token without problem.

I wll start all over and not crypting the answer to the question when using LDAP.

All suggestions appreciated.

Michel-André

Hi all,

Incredible, but without encryption of the Answer, it works perfectly.

LDAP and Active Directory encryption must be different or do they use different keys?

Someone could explain!

Michel-André

Did you use the same keyphrase for both LDAP and AD?

Did you base64decode the LDAP answers before importing to AD?

Hi Markus,

Thank you very much to continue to reply.

Maybe the problem is related to OpenLDAP ACLs as there are no output for those commands:

[root@tchana ~]# ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null
[root@tchana ~]#

[root@tchana ~]# ldapsearch -LLL -Y EXTERNAL -b cn=config -s one 'objectClass=olcDatabaseConfig' olcAccess 2>/dev/null | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print'
[root@tchana ~]#

But in fstab, the “/” partition is using xfs and by default xfs uses ACL.

[root@tchana ~]# cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Fri Jan  4 14:13:25 2019
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/VolGroup-lv_root /                       xfs     defaults        0 0
UUID=a7c532b2-51d2-419a-ab83-b87d08f8205a /boot                   xfs     defaults        0 0
/dev/mapper/VolGroup-lv_swap swap                    swap    defaults        0 0
[root@tchana ~]#

I rewrote a brand new config.inc.local.php file that I can use for both LDAP and AD.

  • The general section is for both AD and LDAP
  • I did a section for the AD parameters only and another one for LDAP only
  • I just have to comment the AD section for LDAP and the LDAP section for AD.

Using LDAP, all is working correctly: Mail, QUESTION, rCaptcha, etc… I can change password with QUESTION, Mail, etc…

  • I created a new file.ldif.

I did a user for AD delegation making sure I have selected all the properties as on:
https://ltb-project.org/documentation/self-service-password/latest/config_ldap?s[]=active&s[]=directory

I transfered without any error the file.ldif and integrated it in AD followig https://wiki.nethserver.org/doku.php?id=howto:useful_commands#modify_the_samba4_ad_settings

When I tried changing password with QUESTION I received. “Your answer is not correct”
I tried the other users, same output message.

I went in the NethServer GUI and changed the password for toto then all is working correctly: rCaptcha, password change on main page with old/new password, registering a question, changing password with QUESTION and mail, etc…
So this demonstrates that all is working fine with AD.

I will keep everything the same and create a new file.ldif without crypting to see if all will be working correctly.

I will let you know the result.

Again thank you very much for you support,

Michel-André

1 Like