[SOLVED- almost] AD as the Account provider - changing user password

Support
,
21

Hi Markus,

I started all over again. I installed a new Self Service Password.
I took a snapshot-1 of the VM.

$crypt_answers to false.

  • All users choose a question/answer.

  • All the users changed their password the standard way, with quetion/answer way, and with mail token. All was working fine.

  • When still under LDAP, I made a script to generate the ldif file containing the users and their answers to their question.

I restored the original snapshot-1 and changed $crypt_answers to true.

  • All users again choose the same question/answer which were encrypted by SSP.

  • All the users were able to change their password the standard way, with question/answer way, and with mail token. All was working fine.

  • I generated another ldif file, with a different name, containing the encrypted answers.

I restored the snapshot-1 of the VM.
I installled Active Directory as account provider.

  • I imported the users and their groups.

  • I adjusted recursively the user:group in the home directories.

  • I commented the LDAP section of config.inc.local.php and added a section for AD.

I took a snapshot-2 of the VM.

$crypt_answers to false.

  • I copied the ldif file (wihtout encryption).

  • I run the command to import the content of the ldif file.

# /usr/bin/systemd-run -M nsdc                               \
                         -q                                  \
                         -t /usr/bin/ldbmodify               \
                         -H /var/lib/samba/private/sam.ldb   \
                         /var/lib/samba/private/file.ldif

Modified 3 records successfully
#

After the importation by the ldif file (without encryption), the users were able to choose a new password with their question the first time they use SSP. Then they were able to change their password the standard way, with question/answer way, and with mail token. All was working fine. I even had reCaptcha working perfectly.

I restored snapshot-2 of the VM.

$crypt_answers to true.

  • I copied to the server the ldif file (with encryption) after changing its name to file.ldif.

  • I run the command to import the content of the ldif file.

# /usr/bin/systemd-run -M nsdc                               \
                         -q                                  \
                         -t /usr/bin/ldbmodify               \
                         -H /var/lib/samba/private/sam.ldb   \
                         /var/lib/samba/private/file.ldif

Modified 3 records successfully
#

If a user tried to change its password with question, the first time he uses SSP, he recieved Your answer is not correct.
He cannot make a new question/answer or use mail token as he doesn’t know the new password AD generated for him.

With a crypted answer, AD doesn’t work…

There is nowhere to change the keyphrase to base64decode. Even if it was possible, it think it won’t change the result. The article you mentioned was about changing the mail passphrase for mail token. I didn’t find nothing for the question/answer.

Any more suggestions? If not, I will leave it without encryption and release the howto document later.

Michel-André

P.S.: I just found out (https://en.m.wikipedia.org/wiki/Base64) that Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.

It is not related to SSP or OpenLDAP but I think that both can use it. I will investigate a little bit more…

1 Like
22

Hi all,

After googling for quite some time…

  1. Because I cannot crypt the answer for compatibility with importing users/groups/passwords to Active Directory.

  2. Because I tell Self Service Password to store the answer to the question into LDAP “info” attribute:

    $answer_attribute = “info”;

Then, the command to display all the question/answer stored by the user into LDAP

# ldapsearch -Y EXTERNAL | grep -e "# " -e info:
...
# toto , People, directory.nh   
info: {car}Toyota
...

I would like to protect the attribute “info” with ACL.

access to attrs=info
   by self write
   by "cn=libuser,dc=directory,dc=nh" write
   by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write
   by anonymous none
  • self will be able to write (meaning read and write)
  • libuser, the almighty, will be able to write
  • group “domain admins” will be able to write (so not to paint myself in the corner)
  • anonymous will not even be able to read it
  1. Copy /etc/e-smith/templates/etc/openldap/ldap.conf/10default to a custom template.
  2. Add the above into the custom template.
  3. expand.
  4. restart openldap.

Questions:
Do I have to add “manager” to the ACL?
Is that a good way to do it?
Is there a better way?

This is the last problem to finish the documentations about changing Account provider from LDAP to Active Directory with Self Service Password (to be able for the users, after importation, to change the password created by AD after its installation - imagine I have hundreds/thousands of users)…

Absolutely all suggestions appreciated,

Michel-André