[Ltb-users] Permissions for Active Directory manager account

Sumit Khanna sum.lists at gmail.com
Wed Sep 28 21:49:12 CEST 2011

Hey there,

I'm currently trying to use the ltb password self service with an
Active Directory domain. I have LDAPs working on AD and it can connect
using my manager user, but the managed user doesn't have permissions
to change a user's passwords.

I have a services OU and within it I made an account called sys_pss. I
then right clicked on the People OU > delegate control. I selected my
sys_pss user and added "Reset user password anf force password change
at next logon" and "Read all user information."

However when I attempt to change the password, I keep getting
"Password was refused by the LDAP directory" and the following in the

[Wed Sep 28 15:44:36 2011] [error] [client] LDAP -
Modify password error 50 (Insufficient access), referer:

I know it's using the manager user because if I put an incorrect
password in the config php file, I get "Bind error 49."

I have $ad_mode set to true and $who_change_password = "manager";

If I type in the wrong password for the old password, I do get an
invalid password, so I know it's binding and authenticating correctly
as the user. What permissions do I need to give to sys_pss in AD so it
can modify user's passwords?



More information about the ltb-users mailing list