[Ltb-users] prevent rapid password changes

Clément OUDOT clement.oudot at savoirfairelinux.com
Thu Aug 31 10:21:10 CEST 2017

Le 30/08/2017 à 19:55, Taylor Hammerling a écrit :
> Thanks for the reply!
> I do have SSP setup in AD mode.
> When I try to set the $who_change_password to "user" no one can change 
> their password.  SSP just fires back "Password was refused by the LDAP 
> directory"
> If I set the $who_change_password to manager, and the ldap_binddn is 
> set to a service account user "ssp" who is delegated the following 
> active directory rights (on Descendant User Objects) on the OU that 
> houses all our users.
> Read pwdLastSet
> Write pwdLastSet
> Read lockoutTime
> Write lockoutTime
> Change Password
> Reset Password
> Then passwords can be changed, but it ignores the minimum password age 
> I set in Samba4.  I tried removing the "Reset Password" delegation 
> (because that's just like what an administrator would do, and I 
> thought it might be bypassing the password policies) however when I 
> did that I received the same "Password was refused by the LDAP directory"
> as when setting the who change password variable to "user".

Well, if the password is refused by LDAP directory, it is maybe because 
the directory password policy works. Did you check that a user can 
change its own password? If yes, are you able to do it outside SSP?

Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20170831/090644f9/attachment.html>

More information about the ltb-users mailing list