Authentication

LDAP Bind user Active Directory Password Reset Permissions

 
Picture of Stephen Elaschuk
LDAP Bind user Active Directory Password Reset Permissions
 

I'm trying to give my LDAP Bind user sufficient privileges to reset user passwords, without adding them to the Domain Administrators group in active directory.

I've used the "Delegate Control" wizard on my root domain object to attempt to assign password reset permissions. However it seems no combination of delegation permissions seems to work. Even if I delegate Full Control to my LDAP bind user, the error coming back from moodle when the user attempts to change their password is:

Debug info: 
Error code: errorpasswordupdate
Stack trace:
  • line 476 of /lib/setuplib.php: moodle_exception thrown
  • line 110 of /login/change_password.php: call to print_error()
Output buffer: Warning: ldap_modify(): Modify: Insufficient access in /var/www/moodle/auth/ldap/auth.php on line 1351

Only when I add my bind user to domain admins does it function properly. I realize this is more AD related than moodle, but I'm hoping somewhere here has had a similar experience and can help.

Thanks!

 
Average of ratings: -
Picture of Steve Bluck
Re: LDAP Bind user Active Directory Password Reset Permissions
 

Have you checked the user is listed in the security properties (should show up as having "special permissions") for the domain and on the relevant OU's?

 
Average of ratings: -