3

I am trying to create a webapp to allow users to change their own passwords in Samba4 (perhaps, also in AD), using LDAP(s). But when I try to modify the user password using this code:

dn: ........
changetype: modify
replace: unicodePwd
unicodePwd: "Temporal2"

I get this error:

0x32 (Insufficient access; error in module acl: insufficient access rights during LDB_MODIFY (50))

If I change the code, deleting the old password, and adding the new one:

dn: ........
changetype: modify
delete: unicodePwd
unicodePwd: "Temporal1"
-
add: unicodePwd
unicodePwd: "Temporal2"

Then I get this error:

#!ERROR [LDAP: error code 53 - 00002035: setup_io: it's not allowed to set the NT hash password directly']

The ldapmodify are executed using the self user credentials, i wouldn't like to use the administrator account. Is this possible? Do I have to change some settings in Samba4?

okelet
  • 161
  • 5

1 Answers1

3

"unicodePwd" field or attribute can contains only password under unicode form and encoded with base64:

Password to set : MyNewPassw0rd Encoding this password to push it into "unicodePwd" attribute is done like this:

echo -n '"MyNewPassw0rd"' | iconv -f utf8 -t utf16le | base64 -w 0

Note the simple quotes around double quotes: simple quotes are here for double quotes are not interpreted by shell. The string into unicodePwd must contain the password and the double quotes.

This command gives us:

IgBNAHkATgBlAHcAUABhAHMAcwB3ADAAcgBkACIA

Decoding that value:

echo IgBNAHkATgBlAHcAUABhAHMAcwB3ADAAcgBkACIA | base64 -d

This command gives us:

"MyNewPassw0rd"

Applied to your example:

echo '"Temporal2"' | iconv -f utf8 -t utf16le | base64 -w 0
IgBUAGUAbQBwAG8AcgBhAGwAMgAiAAoA

And so the new LDIF content is:

dn: ........
changetype: modify
delete: unicodePwd
-
add: unicodePwd
unicodePwd:: IgBUAGUAbQBwAG8AcgBhAGwAMgAiAAoA

Note the double double dots after unicodePwd: that means data are base64 encoded.

Using LDIF through ldapmodify is now working here to modify any user password when ldapmodify is run using identity of a specific user to whom we delegated rights to modify all users.

As long as I was trying to use "replace: unicodePwd" as in the following LDIF I received an error about insufficient rights.

dn: ........
changetype: modify
replace: unicodePwd
unicodePwd:: IgBUAGUAbQBwAG8AcgBhAGwAMgAiAAoA

Using two actions ("delete: unicodePwd" then "add: unicodePwd") insufficient rights issue disappeared. Thank you : )

Cheers,

mathias

mathias
  • 31
  • 2