[Ltb-users] Permissions for Active Directory manager account

Clément OUDOT clem.oudot at gmail.com
Thu Sep 29 09:36:09 CEST 2011

2011/9/28 Sumit Khanna <sum.lists at gmail.com>:
> Hey there,
> I'm currently trying to use the ltb password self service with an
> Active Directory domain. I have LDAPs working on AD and it can connect
> using my manager user, but the managed user doesn't have permissions
> to change a user's passwords.
> I have a services OU and within it I made an account called sys_pss. I
> then right clicked on the People OU > delegate control. I selected my
> sys_pss user and added "Reset user password anf force password change
> at next logon" and "Read all user information."
> However when I attempt to change the password, I keep getting
> "Password was refused by the LDAP directory" and the following in the
> logs:
> [Wed Sep 28 15:44:36 2011] [error] [client] LDAP -
> Modify password error 50 (Insufficient access), referer:
> https://secure.exmaple.com
> I know it's using the manager user because if I put an incorrect
> password in the config php file, I get "Bind error 49."
> I have $ad_mode set to true and $who_change_password = "manager";
> If I type in the wrong password for the old password, I do get an
> invalid password, so I know it's binding and authenticating correctly
> as the user. What permissions do I need to give to sys_pss in AD so it
> can modify user's passwords?


I am not an Active Directory expert. All I can say, is that password
change will work with an account with domain administration rights. Of
course this may be a little wide...

Let us know if you find the minimal rights for SSP to work with AD.


More information about the ltb-users mailing list