-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ldap_modify() instead of ldap_exop_passwd() #128
Comments
It will ensure that the password is hashed instead of possibly stored as clear text. |
Maybe there is an ability to add an option in GUI to choose ldap attribute and function to store password? Because sometimes there is no ways to deal with userPassword. |
Are you sure Samba4 is configured correctly? It seems odd to me that it would not be able to operate with the intended method to change passwords on LDAP. And it does not seem to be the correct solution for me either. |
Thnx for the reply. I have a feeling, that samba 4.7.0 (actual version for Ubuntu 18) doesn't really support dSHeuristics flag. I'll try to upgrade version to the latest stable. Maybe this will help. |
Samba is upgraded to the latest 4.11.6 with no luck. Still having the same error:
Just found info of 2017 in the samba lists:
(https://lists.samba.org/archive/samba/2017-March/207245.html)
(http://samba.2283325.n4.nabble.com/Internal-LDAP-problem-tp4643700p4643833.html) |
That's 3 years ago, but well, probably still valid. The automated tests run against openLDAP, I know 389 DS was tested, too. |
Same issue here, can't change password with Samba AD, there is another way to implement this feature? ldap_exop_passwd(): Passwd modify extended operation failed: Extended Operation(1.3.6.1.4.1.4203.1.11.1) not supported (2) at /var/www/html/custom_apps/ldap_write_support/lib/LDAPUserManager.php#349 |
Still no changes in code of LDAPUserManager.php. So I'm still using my fix (drlight17@2298fd1) from the first post in this thread. It works perfectly fine. Just make sure to have a backup of fixed LDAPUserManager.php when update Nextcloud or it's apps. |
Hi, Try this on your samba AD: Replace /var/lib/samba/private/ for your path and the dc domain part ldbedit -e vi -H /var/lib/samba/private/sam.ldb -b 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=example,DC=com' '(objectClass=ntDSService)' The editor is vi, so you can use ESC key, then :$ to go at the end of file, and finally the letter o to add new line, paste the dSHeuristics line and save with ESC key and :x The samba.conf on your AD server must contains the line in global section: (this was my missing setup to work) Restart samba service and voilá. I hope this work |
Hello. POST /settings/personal/changepassword |
I did the same and still get the |
Instead of the deep change, I would recommend either a fallback or an AD detection algorithm to stay compatible. |
I can add detection of passwdModify extended operation. @drlight17 @meckiemac can you send current version of your LDAP backend and your DSE? |
I run the samba AD via ubuntu focal, current release is: 2:4.11.6+dfsg-0ubuntu1.6. Output is sanitised. I hope this helps. Let me know if you need more information. |
|
Thanks, now quick summary:
LDAP documentation says:
So, we should probably check DSE for @drlight17 @meckiemac can you confirm that modifying userPassword attribute works for you? |
Yes, I confirm. |
I can confirm, but with a very small change. I searched a bit further and found: https://stackoverflow.com/questions/13078022/php-ldap-modify-insufficient-access |
Hi, do we have any updates on this? I would like to skip the double checking of the exop/mod functions on any update. |
Finally! Thanks! |
Thank you! |
Hi.
I've just had troubles with changing users passwords from NC. I'm using samba 4 with 6.1.1.2.4.1.2 dSHeuristics set to 1. But everytime changing password (not only by NC, but by self-written scripts) I've got extended operation error using ldap_exop_passwd() function.
And there is no problem to change password using ldap_modify(). I've made a little change in lib/LDAPUserManager.php (see drlight17@2298fd1).
Is there a really security cause to use ldap_exop_passwd() function to operate with userPassword attrribute?
The text was updated successfully, but these errors were encountered: