2018-06-13 08:54:14 UTC
Im trying to use an LDAP Connector to change the password of a user in the AD, as the user.
I have an ITDI 7.1.1 AssemblyLine where a HTTPServerConnector receives a rest call from a front-end "password reset portal". I get old and new pwd, and sAMAccountName in the call and I start by doing a LDAP Connector lookup by sAMAccountName of the user DN, using a service account.
I CAN use the same service account with a second LDAP Connector to change the password of the user (having the Auto Map AD Password flag set in the connector config, and using simple authentication, and the SSL Connection flag set).
What I can't get to work is to use the distinguishedName and old_pwd of the user to perform the operation. The connnector is set to initialzed and terminate everytime it is used, and I use the user DN and OLD_PWD as Loging Username/Password (substitution) (still with the Auto Map AD Password flag and using simple authentication, and the SSL Connection flag set).
The error.message gives me "[LDAP: error code 50 - 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". However, I have managed to do an LDAP Bind via the terminal using the same credentials - so that part seems to be OK.
Is there a way to get the LDAP Connector to do the password change as the user who requested it? What am I missing?