Hi Markus,
I started all over again. I installed a new Self Service Password.
I took a snapshot-1 of the VM.
$crypt_answers to false.
-
All users choose a question/answer.
-
All the users changed their password the standard way, with quetion/answer way, and with mail token. All was working fine.
-
When still under LDAP, I made a script to generate the ldif file containing the users and their answers to their question.
I restored the original snapshot-1 and changed $crypt_answers to true.
-
All users again choose the same question/answer which were encrypted by SSP.
-
All the users were able to change their password the standard way, with question/answer way, and with mail token. All was working fine.
-
I generated another ldif file, with a different name, containing the encrypted answers.
I restored the snapshot-1 of the VM.
I installled Active Directory as account provider.
-
I imported the users and their groups.
-
I adjusted recursively the user:group in the home directories.
-
I commented the LDAP section of config.inc.local.php and added a section for AD.
I took a snapshot-2 of the VM.
$crypt_answers to false.
-
I copied the ldif file (wihtout encryption).
-
I run the command to import the content of the ldif file.
# /usr/bin/systemd-run -M nsdc \
-q \
-t /usr/bin/ldbmodify \
-H /var/lib/samba/private/sam.ldb \
/var/lib/samba/private/file.ldif
Modified 3 records successfully
#
After the importation by the ldif file (without encryption), the users were able to choose a new password with their question the first time they use SSP. Then they were able to change their password the standard way, with question/answer way, and with mail token. All was working fine. I even had reCaptcha working perfectly.
I restored snapshot-2 of the VM.
$crypt_answers to true.
-
I copied to the server the ldif file (with encryption) after changing its name to file.ldif.
-
I run the command to import the content of the ldif file.
# /usr/bin/systemd-run -M nsdc \
-q \
-t /usr/bin/ldbmodify \
-H /var/lib/samba/private/sam.ldb \
/var/lib/samba/private/file.ldif
Modified 3 records successfully
#
If a user tried to change its password with question, the first time he uses SSP, he recieved Your answer is not correct.
He cannot make a new question/answer or use mail token as he doesn’t know the new password AD generated for him.
With a crypted answer, AD doesn’t work…
There is nowhere to change the keyphrase to base64decode. Even if it was possible, it think it won’t change the result. The article you mentioned was about changing the mail passphrase for mail token. I didn’t find nothing for the question/answer.
Any more suggestions? If not, I will leave it without encryption and release the howto document later.
Michel-André
P.S.: I just found out (https://en.m.wikipedia.org/wiki/Base64) that Base64 is a group of binary-to-text encoding schemes that represent binary data in an ASCII string format by translating it into a radix-64 representation.
It is not related to SSP or OpenLDAP but I think that both can use it. I will investigate a little bit more…