Question about delegation of control

[opoplawski]

The active directory documentation states:

 Use Delegate control wizard within “User and computers”, then

    User Object
    Reset Password
    Write lockoutTime (if unlock is enabled)
    Write shadowlastchange

I don't follow this. On my 2012 AD server when I go through the wizard I get:

So I don't follow what "User Object", "Write lockoutTime", and "Write shadowlastchange" refer to exactly. Thanks for any help.

[opoplawski]

Okay, I think this makes more sense if you read it as "Create a custom task to delegate" acting on "User objects".

However, that seems to still be insufficient permissions to change a user's password when "User must change password at next logon" is checked in AD.

ldap_int_select
read1msg: ld 0x56470ce56250 msgid 3 all 1
read1msg: ld 0x56470ce56250 msgid 3 message type bind
read1msg: ld 0x56470ce56250 0 new referrals
read1msg:  mark request completed, ld 0x56470ce56250 msgid 3
request done: ld 0x56470ce56250 msgid 3
res_errno: 49, res_error: <80090308: LdapErr: DSID-0C090446, comment: AcceptSecurityContext error, data 773, v2580>, res_matched: <>
ldap_free_request (origid 3, msgid 3)

ldap_int_select
read1msg: ld 0x56470ce56250 msgid 5 all 1
read1msg: ld 0x56470ce56250 msgid 5 message type modify
read1msg: ld 0x56470ce56250 0 new referrals
read1msg:  mark request completed, ld 0x56470ce56250 msgid 5
request done: ld 0x56470ce56250 msgid 5
res_errno: 50, res_error: <00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
>, res_matched: <>
ldap_free_request (origid 5, msgid 5)

And:

Password was refused by the LDAP directory

is displayed. Perhaps rights to change password must be given as well?

[opoplawski]

No that still seems insufficient.

[coudot]

I do not have enough AD skills to answer you. If you think the documentation should be updated, please modify https://github.com/ltb-project/self-service-password/blob/master/docs/config_ldap.rst and propose a pull request