Posted by Few days ago, i am perform migrating from old Samba4 to new Samba4 on my client in Palmerah, Jakarta, Indonesia. They have php application that developed by previous vendor on old Samba4. The php application is used for change password Samba4 users. Overall, Samba4 could be migrated with other application to the new Samba4 server. But the php application could not migrate caused by different OS that used on new Samba4 (old server using CentOS and new server using SLES).
For replace the php application, i am looking for other application who has the same function. Finally, i am obtain LDAP ToolBox (LTB) who has the same function to replace the php application. This is what i do on new Samba4 server. On this article, i am using SLES on my system. You can adjust with system you are using
# Install Apache and dependencies
zypper in apache2 apache2-mod_php53 php53-mcrypt php53-ldap php53-openssl
# Download LTB
cd /srv/www/htdocs wget -c http://tools.ltb-project.org/attachments/download/497/ltb-project-self-service-password-0.8.tar.gz
# Extract, and configure LTB
tar -zxvf ltb-project-self-service-password-0.8.tar.gz mv ltb-project-self-service-password-0.8 ltb vi /srv/www/htdocs/ltb/conf/config.inc.php
Adjust the following configuration with your system
$ldap_url = "ldap://samba4.imanudin.net";
$ldap_binddn = "cn=Administrator,cn=Users,dc=imanudin,dc=net";
$ldap_bindpw = "VerySecret";
$ldap_base = "dc=imanudin,dc=net";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))";
$ad_mode = true;
$who_change_password = "manager";
Note : on this section, LTB is configured on the same machine with Samba4
# Save and restart Apache
service apache2 restart
Please access your LTB/Samba4 server at URL http://samba4.imanudin.net/ltb and try to change password Samba4 users
Finally, i could change password Samba4/Active Directory via Web and could replace old php application
Good luck and hopefully useful 😀
Hi Brother,
Have you tried this one?
https://github.com/Zimbra-Community/ADPassword
I’ve tried that extention on Zimbra OSE 8.6 and Zenyal 4.2 DC but still have an issue 😀
Hi pak,
Yes. But i am also still struggle with it 😀 . Because my client need to change password via web based (not all user join domain), finally i am use the awesome LTB Project 😉
Can you post the full config.inc.php? I can make it work without ad_mode but the NT password is not changed properly..samba_mode=true does not have any effect.
Hello,
My config same as configuration that described on the article and my samba_mode still false
hi iman,
I recently migrated our email and use Active directory as a authentication mechanism. do i need a samba server to use LTB?
thanks!
Perfect
thanks
hi iman! nice write up…
I tried this guide to change windows active directory password.. im getting an error can’t connect to ldap server..
root@spp:~# tail /var/log/apache2/error.log
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.1.2:3268
ldap_new_socket: 17
ldap_prepare_socket: 17
ldap_connect_to_host: Trying 192.168.1.2:3268
ldap_pvt_connect: fd: 17 tm: -1 async: 0
ldap_err2string
ldap_err2string
[Thu Mar 16 10:38:24 2017] [error] [client 192.168.10.1] LDAP – Bind error -1 (Can’t contact LDAP server), referer: https://192.168.10.32/index.php
Hi Daboy,
The problem is here
Please make sure username and Password Admin have been correctly
Hi iman,
Thanks!
username and password of my active directory is correct, I was able to RDP to Windows Active Directory Server using the same Credentials.
I’m using Debian.. here’s my config.
1. Download ltb
self-service-password_1.0-2_all.deb
2. Install
dpkg -i self-service-password_1.0-2_all.deb
3. create DIR on /opt/web-apps/
4. copy self-service-password to /opt/web-apps/
cp -rpv /usr/share/self-service-password /opt/web-apps/
5. config.inc.php
#==============================================================================
# Configuration
#==============================================================================
# LDAP
$ldap_url = “ldap://192.168.1.2:389”;
$ldap_starttls = false;
$ldap_binddn = “cn=Administrator,cn=Users,dc=ad,dc=mydomain,dc=com”;
$ldap_bindpw = “P@ssw0rd!@”;
$ldap_base = “dc=ad,dc=mydomain,dc=com”;
$ldap_login_attribute = “sAMAccountName”;
$ldap_fullname_attribute = “cn”;
$ldap_filter = “(&(objectClass=user)(sAMAccountName={login}))”;
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = true;
# Force account unlock when password is changed
$ad_options[‘force_unlock’] = false;
# Force user change password at next login
$ad_options[‘force_pwd_change’] = false;
# Allow user with expired password to change password
$ad_options[‘change_expired_password’] = false;
$ad_mode = true;
$who_change_password = “user”;
6. Edit Apache configuration using a virtual host
/etc/apache2/sites-available/self-service-password.conf
ServerName ssp.example.com
DocumentRoot /opt/web-apps/self-service-password
DirectoryIndex index.php
AddDefaultCharset UTF-8
LogLevel warn
ErrorLog /var/log/apache2/ssp_error.log
CustomLog /var/log/apache2/ssp_access.log combined
I got new Error..
#tail /var/log/apache2/error.log
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.1.2:3268
ldap_new_socket: 17
ldap_prepare_socket: 17
ldap_connect_to_host: Trying 192.168.1.2:3268
ldap_pvt_connect: fd: 17 tm: -1 async: 0
TLS: can’t connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_err2string
[Mon Mar 20 20:06:46 2017] [error] [client 192.168.10.1] LDAP – Bind error -1 (Can’t contact LDAP server), referer: https://192.168.10.32/index.php
Hi Iman I got the same error to.. can you help us on how to achieved this on Windows Active directory?
Appreciate your help.. thank you
Hi Daba,
Please try example configuration here : https://ltb-project.org/documentation/self-service-password/latest/config_ldap