How To Change Password Users Active Directory/Samba4 via Web using LDAP ToolBox

Posted by

Few days ago, i am perform migrating from old Samba4 to new Samba4 on my client in Palmerah, Jakarta, Indonesia. They have php application that developed by previous vendor on old Samba4. The php application is used for change password Samba4 users. Overall, Samba4 could be migrated with other application to the new Samba4 server. But the php application could not migrate caused by different OS that used on new Samba4 (old server using CentOS and new server using SLES).

For replace the php application, i am looking for other application who has the same function. Finally, i am obtain LDAP ToolBox (LTB) who has the same function to replace the php application. This is what i do on new Samba4 server. On this article, i am using SLES on my system. You can adjust with system you are using

# Install Apache and dependencies

zypper in apache2 apache2-mod_php53 php53-mcrypt php53-ldap php53-openssl

# Download LTB

cd /srv/www/htdocs
wget -c http://tools.ltb-project.org/attachments/download/497/ltb-project-self-service-password-0.8.tar.gz

# Extract, and configure LTB

tar -zxvf ltb-project-self-service-password-0.8.tar.gz
mv ltb-project-self-service-password-0.8 ltb
vi /srv/www/htdocs/ltb/conf/config.inc.php

Adjust the following configuration with your system

$ldap_url = "ldap://samba4.imanudin.net";
$ldap_binddn = "cn=Administrator,cn=Users,dc=imanudin,dc=net";
$ldap_bindpw = "VerySecret";
$ldap_base = "dc=imanudin,dc=net";
$ldap_login_attribute = "sAMAccountName";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=user)(sAMAccountName={login}))";
$ad_mode = true;
$who_change_password = "manager";

Note : on this section, LTB is configured on the same machine with Samba4

# Save and restart Apache

service apache2 restart

Please access your LTB/Samba4 server at URL http://samba4.imanudin.net/ltb and try to change password Samba4 users

ssp-change-password
Change Password
ssp-change-password-success
Change Password Success

Finally, i could change password Samba4/Active Directory via Web and could replace old php application

Good luck and hopefully useful 😀

12 comments

    1. Hi pak,

      Yes. But i am also still struggle with it 😀 . Because my client need to change password via web based (not all user join domain), finally i am use the awesome LTB Project 😉

  1. Can you post the full config.inc.php? I can make it work without ad_mode but the NT password is not changed properly..samba_mode=true does not have any effect.

  2. hi iman,

    I recently migrated our email and use Active directory as a authentication mechanism. do i need a samba server to use LTB?

    thanks!

  3. hi iman! nice write up…

    I tried this guide to change windows active directory password.. im getting an error can’t connect to ldap server..

    root@spp:~# tail /var/log/apache2/error.log
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP 192.168.1.2:3268
    ldap_new_socket: 17
    ldap_prepare_socket: 17
    ldap_connect_to_host: Trying 192.168.1.2:3268
    ldap_pvt_connect: fd: 17 tm: -1 async: 0
    ldap_err2string
    ldap_err2string
    [Thu Mar 16 10:38:24 2017] [error] [client 192.168.10.1] LDAP – Bind error -1 (Can’t contact LDAP server), referer: https://192.168.10.32/index.php

    1. Hi Daboy,

      The problem is here

      [Thu Mar 16 10:38:24 2017] [error] [client 192.168.10.1] LDAP – Bind error -1 (Can’t contact LDAP server), referer

      Please make sure username and Password Admin have been correctly

  4. Hi iman,

    Thanks!
    username and password of my active directory is correct, I was able to RDP to Windows Active Directory Server using the same Credentials.

    I’m using Debian.. here’s my config.

    1. Download ltb
    self-service-password_1.0-2_all.deb
    2. Install
    dpkg -i self-service-password_1.0-2_all.deb
    3. create DIR on /opt/web-apps/
    4. copy self-service-password to /opt/web-apps/
    cp -rpv /usr/share/self-service-password /opt/web-apps/

    5. config.inc.php

    #==============================================================================
    # Configuration
    #==============================================================================
    # LDAP
    $ldap_url = “ldap://192.168.1.2:389”;
    $ldap_starttls = false;
    $ldap_binddn = “cn=Administrator,cn=Users,dc=ad,dc=mydomain,dc=com”;
    $ldap_bindpw = “P@ssw0rd!@”;
    $ldap_base = “dc=ad,dc=mydomain,dc=com”;
    $ldap_login_attribute = “sAMAccountName”;
    $ldap_fullname_attribute = “cn”;
    $ldap_filter = “(&(objectClass=user)(sAMAccountName={login}))”;

    # Active Directory mode
    # true: use unicodePwd as password field
    # false: LDAPv3 standard behavior
    $ad_mode = true;
    # Force account unlock when password is changed
    $ad_options[‘force_unlock’] = false;
    # Force user change password at next login
    $ad_options[‘force_pwd_change’] = false;
    # Allow user with expired password to change password
    $ad_options[‘change_expired_password’] = false;

    $ad_mode = true;
    $who_change_password = “user”;

    6. Edit Apache configuration using a virtual host

    /etc/apache2/sites-available/self-service-password.conf

    ServerName ssp.example.com

    DocumentRoot /opt/web-apps/self-service-password
    DirectoryIndex index.php

    AddDefaultCharset UTF-8

    LogLevel warn
    ErrorLog /var/log/apache2/ssp_error.log
    CustomLog /var/log/apache2/ssp_access.log combined

  5. I got new Error..

    #tail /var/log/apache2/error.log
    ldap_int_open_connection
    ldap_connect_to_host: TCP 192.168.1.2:3268
    ldap_new_socket: 17
    ldap_prepare_socket: 17
    ldap_connect_to_host: Trying 192.168.1.2:3268
    ldap_pvt_connect: fd: 17 tm: -1 async: 0
    TLS: can’t connect: A TLS packet with unexpected length was received..
    ldap_err2string
    ldap_err2string
    [Mon Mar 20 20:06:46 2017] [error] [client 192.168.10.1] LDAP – Bind error -1 (Can’t contact LDAP server), referer: https://192.168.10.32/index.php

  6. Hi Iman I got the same error to.. can you help us on how to achieved this on Windows Active directory?
    Appreciate your help.. thank you

Leave a Reply to iman Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.