[Ltb-users] Permissions for Active Directory manager account
sum.lists at gmail.com
Wed Sep 28 21:49:12 CEST 2011
I'm currently trying to use the ltb password self service with an
Active Directory domain. I have LDAPs working on AD and it can connect
using my manager user, but the managed user doesn't have permissions
to change a user's passwords.
I have a services OU and within it I made an account called sys_pss. I
then right clicked on the People OU > delegate control. I selected my
sys_pss user and added "Reset user password anf force password change
at next logon" and "Read all user information."
However when I attempt to change the password, I keep getting
"Password was refused by the LDAP directory" and the following in the
[Wed Sep 28 15:44:36 2011] [error] [client 192.168.99.34] LDAP -
Modify password error 50 (Insufficient access), referer:
I know it's using the manager user because if I put an incorrect
password in the config php file, I get "Bind error 49."
I have $ad_mode set to true and $who_change_password = "manager";
If I type in the wrong password for the old password, I do get an
invalid password, so I know it's binding and authenticating correctly
as the user. What permissions do I need to give to sys_pss in AD so it
can modify user's passwords?
More information about the ltb-users