Admin reset password

bbassotti · April 10, 2021, 7:12am

hi everyone, I installed the univention-admingrp-user-passwordreset component to allow the helpdesk to be able to reset the passwords but when they try the console display:

obviously the user belongs to the group “User Password Admins group”.

console log /var/log/univention/management-console-module-udm.log

10.04.21 08:57:19.399  MODULE      ( WARN    ) : Failed to modify LDAP object uid=sntest,cn=users,dc=my,dc=domain,dc=xy: permissionDenied:
10.04.21 08:58:53.813  ADMIN       ( ERROR   ) :
== [$6xxxxxxxxxxxxxxxxxxxxd0]
== [$6$rxxxxxxxxxxxxxQkJ1l8.]
10.04.21 08:58:53.838  MODULE      ( WARN    ) : Failed to modify LDAP object uid=sntest,cn=users,dc=my,dc=domain,dc=xy: permissionDenied:

/etc/ldap/slapd.conf:

# helpdesk access: grant access to specified groups for password reset
access to dn.sub="dc=my,dc=domain,dc=xy" filter="(&(|(&(objectClass=posixAccount)(objectClass=shadowAccount))(objectClass=univentionMail)(objectClass=sambaSamAccount)(objectClass=simpleSecurityObject)(&(objectClass=person)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)))(!(uidNumber=0))(!(|(uid=user0)(uid=Administrator)(uid=user1)(uid=user2)(uid=*$))))" attrs="krb5Key,userPassword,sambaPwdCanChange,sambaPwdMustChange,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,pwhistory,sambaPasswordHistory,krb5KDCFlags,krb5KeyVersionNumber,krb5PasswordEnd,shadowMax,shadowLastChange"
    by set="user & [cn=User Password Admins,cn=groups,dc=my,dc=domain,dc=xy]/uniqueMember*" write
    by * break

bbassotti · April 12, 2021, 4:19am

Hi, an update, password change, using an enabled user, with ldappasswd works correctly:

$ ldappasswd -H ldapi:/// -x -D "uid=helpdesk,cn=users,dc=my,dc=domain,dc=xy" -W -S uid=sntest,cn=users,dc=my,dc=domain,dc=xy
New password:
Re-enter new password:
Enter LDAP Password:

bbassotti · April 15, 2021, 8:07am

it seem that the bind fail:

from /var/log/univention/management-console-server.log:

15.04.21 09:53:48.149  MAIN        ( PROCESS ) : LDAP bind for user 'uid=helpdesk,cn=users,dc=my,dc=domain,dc=xy'.
15.04.21 09:53:48.279  MODULE      ( PROCESS ) : Internal server error during "".

is there any way to increase the verbosity log?

bbassotti · April 16, 2021, 8:21am

anyone who can give me a clue as to where to investigate?

bbassotti · April 17, 2021, 8:32am

Hi, I’v found the problem. I have the zimbra connector, the password reset try to change zimbraaccountstatus but he couldn’t. I found it by doing a tcpdump on port 8090 (admin server):

{“options”: [{“object”: {“unlock”: “0”, “homeSharePath”: “sntest”, “zimbraAccountStatus”: “none”, “password”: “password1”, “overridePWHistory”: true, “overridePWLength”: true, “$ dn $”: “uid = sntest, cn = users, dc = my, dc = domain, dc = xy”}, “options”: null}], “flavor”: "users / user "}