[Ltb-users] bindn and who_change_password in Active Directory environment

Paul Phillabaum paul at ipaulo.com
Wed Jun 20 00:09:19 CEST 2018


I have SSP setup with a non-privileged account to bind to AD, and use
$who_change_password = "user"; This seems like the most secure setup since
the bindpw on disk doesn't have any special access. I do not plan to use
tokens, questions, nor allow users to reset passwords on locked or expired
accounts.

It's working well, except if the AD account has the AD flag "User must
change password on next login" set to true. In that case, SSP will return
"Password was refused by the LDAP directory" when they try to change it. Is
using a privileged user to bind to AD the only way to deal with this?

Finally, sorry if this is a silly question, but if SSP does connect with a
privileged user, what does it do with the "Old password" the user enters? I
thought the "Reset Password" AD permission in the documentation grants the
user to change any password, so how is SSP validating the user before
changing the password. Does it connect to AD and verify the password w/ a
logon attempt? I will test to see how it works practically, but I'd like to
know what is being done within the app.

Thank you for the support,

Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20180619/f99b8f87/attachment.html>


More information about the ltb-users mailing list