cant change password to any accounts

[slaygirlz]

looking at the logs it cant find any user named (edge) that im resetting to test

bellow is my config
please all passwords are fake
the ou has been modfiyed to hide the org

[slaygirlz]

<?php
# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = true;

# LDAP
$ldap_url = "ldap://internal.rosehill-college.co.nz";
$ldap_starttls = false;
$ldap_binddn = "CN=NUC Computer,OU=Service Accounts,OU=RosehillCollege,DC=internal,DC=rosehill-college,DC=co,DC=nz";
$ldap_bindpw = "Pass2024";
$ldap_base = "DC=internal,DC=rosehill-college,DC=co,DC=nz";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=posixAccount)($ldap_login_attribute={login}))";

$shadow_options['update_shadowLastChange'] = true;
$shadow_options['update_shadowExpire'] = true;

$shadow_options['shadow_expire_days'] = 60;

$hash = "auto";

$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";

#$pwd_min_length = 12;
#$pwd_max_length = 15;
#$pwd_min_lower = 1;
#$pwd_min_upper = 1;
#$pwd_min_digit = 1;
#$pwd_min_special = 1;
#$pwd_special_chars = "^a-zA-Z0-9";
#$pwd_no_reuse = true;
#$pwd_diff_login = true;
#$pwd_complexity = 1;
#$use_pwnedpasswords = false;
#$pwd_show_policy = "always";
#$pwd_show_policy_pos = "above";

$who_change_password = "user";

$use_change = true;

$change_sshkey = false;

$change_sshkey_attribute = "sshPublicKey";

$who_change_sshkey = "user";

$notify_on_sshkey_change = false;

$use_questions = true;

$answer_objectClass = "extensibleObject";
$answer_attribute = "info";

$crypt_answers = true;

$use_tokens = true;
$crypt_tokens = true;
$token_lifetime = "3600";

$keyphrase = "7rRy0}96#4E7#kzb%:,25X}c&66rU";

$show_help = true;

$lang = "en";

$allowed_lang = array();

$show_menu = true;

#$logo = "images/kifarunix-logo.png";

#$background_image = "images/unsplash-space.jpeg";

$login_forbidden_chars = "*()&|";

$default_action = "change";
?>`

[coudot]

Hello, on Active Directory you should configure:

$ldap_login_attribute = "sAMAccountName";

Or directly edit the LDAP filter like written in the docs: https://self-service-password.readthedocs.io/en/stable/config_ldap.html#active-directory

[slaygirlz]

thank you so much
editing the attribute and filter worked

[slaygirlz]

okay after testing the user password isnt changing

[slaygirlz]

its adding her it should just reset the user

[coudot]

You forgot to enable AD mode.

Read the documentation carefully: https://self-service-password.readthedocs.io/en/stable/config_ldap.html#active-directory

[slaygirlz]

yes I have read the docs when i found out ad mode :)
now my last issue it says ldap refusing password i have tried very hard passwords

[slaygirlz]

mistake understand whats needing again

[slaygirlz]

sorry but im stuck on here https://ltb-project.org/documentation/active_directory_certificates.html i need the ssl so i have the certificate open

but i can't create a ssl certificate
been right clicking to see create one

[slaygirlz]

good news i managed to get the servers key now i get this error

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.2. Set the 'ServerName' directive globally to suppress this message

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.18.0.2. Set the 'ServerName' directive globally to suppress this message

[Mon Oct 14 12:47:43.867495 2024] [mpm_prefork:notice] [pid 1:tid 1] AH00163: Apache/2.4.62 (Debian) PHP/8.3.11 configured -- resuming normal operations

[Mon Oct 14 12:47:43.867513 2024] [core:notice] [pid 1:tid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

[Mon Oct 14 12:47:45.122444 2024] [php:error] [pid 17:tid 17] [client 172.18.0.1:50010] PHP Fatal error: Uncaught Error: Undefined constant "TLS_CACERT" in /var/www/conf/config.inc.local.php:87\nStack trace:\n#0 /var/www/config.inc.php.orig(503): require_once()\n#1 /var/www/htdocs/index.php(11): require_once('...')\n#2 {main}\n thrown in /var/www/conf/config.inc.local.php on line 87, referer: http://10.0.13.5:8032/index.php?action=sendtoken

172.18.0.1 - - [14/Oct/2024:12:47:45 +0000] "GET /index.php HTTP/1.1" 500 211 "http://10.0.13.5:8032/index.php?action=sendtoken" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36 Edg/129.0.0.0"

[fengjicheng]

Hello slaygirlz ：
edit profile file /etc/openldap/ldap.conf
Add a line at the end of the file TLS_REQCERT never
My example：
# add 20241227
#TLS_CACERTDIR /etc/openldap/certs
#TLS_CACERT /etc/openldap/certs/yk01.pem
#SASL_NOCANON on
TLS_REQCERT never
#TLS_REQCERT allow
Then no longer report SSL issues.
In addition, I encountered a situation where a domain account must have login permissions to the domain control host in order to be able to modify it.I solved it by modifying the code. issues