Discussion:
Change userPassword in AD (as the user) using LDAP Connector
(too old to reply)
John Ekare
2018-06-13 08:54:14 UTC
Permalink
Hi!

Im trying to use an LDAP Connector to change the password of a user in the AD, as the user.

I have an ITDI 7.1.1 AssemblyLine where a HTTPServerConnector receives a rest call from a front-end "password reset portal". I get old and new pwd, and sAMAccountName in the call and I start by doing a LDAP Connector lookup by sAMAccountName of the user DN, using a service account.

I CAN use the same service account with a second LDAP Connector to change the password of the user (having the Auto Map AD Password flag set in the connector config, and using simple authentication, and the SSL Connection flag set).

What I can't get to work is to use the distinguishedName and old_pwd of the user to perform the operation. The connnector is set to initialzed and terminate everytime it is used, and I use the user DN and OLD_PWD as Loging Username/Password (substitution) (still with the Auto Map AD Password flag and using simple authentication, and the SSL Connection flag set).

The error.message gives me "[LDAP: error code 50 - 00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0". However, I have managed to do an LDAP Bind via the terminal using the same credentials - so that part seems to be OK.

Is there a way to get the LDAP Connector to do the password change as the user who requested it? What am I missing?

Kind regards,
John Ekare
yn2000
2018-06-13 17:03:54 UTC
Permalink
I don't think this has anything to do with TDI.
To prove, please try using LDAP browser, anything beside TDI, and bind using that user account to check whether he/she has the right to change his/her own password via LDAP protocol. The user may allow to change his/her own password via his/her own desktop, but it might not so via LDAP protocol.
Rgds. YN.

Loading...