our former sysadmin went from fulltime to 'on demand' and left me with the "task" to administer part of the local network. One of my jobs is changing users' passwords (they can't do it themselves unless they are given the LDAP admin password, for some reason). For what I can understand there is a master LDAP server that is used to authenticate users for a myriad of accounts: ssh, redmine, samba, zimbra, etc.
The procedure he instructed me to follow to change a user's password involves:
- launching LDAP Admin (windows version)
- logging in with a very specific set of credentials (cn=admin,dc=domainname)
- navigating down to the user
- right-click on the user and then, "set password"
Since I don't have Windows, find it quite silly to devote a VM just to change a password for LDAP. I am also quite stubborn myself and I refuse to believe it's the only way to go. I am not familiar with LDAP but I am almost certain that it was never intended to be used this way!
My question: what tool do you recommend to do this job?
I tried LDAPManager for OSX but it does not have the 'change password' button. I tried changing the SambaPassword field (and others..) but to no avail. The former sysadmin said he tried already all available tools and the windows version is the only one that allows you to set a password. [insert WTF here]
What did I try so far:
phpldapadmin
is installed on the server, but I think it's misconfigured since once I log in I cannot even see the correct domain nameldapadmin
under wine but it's highly unstableldappasswd
but can't understand what's going on, it always gives me:Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49)
no matter what I try.
Now, LDAP is somewhat dark magic for me. When I was doing sysadmin work years ago I never had to configure one. Now I don't understand if I'm doing something wrong, if the server is just badly configured or if really the only way to change a user's network password is to depend on a Windows-only tool (kinda refuse to believe that).
So I am asking you all: what do I do? And, does it have to be so complicated? We're just 10 people here, does it really make sense to waste all this time and effort for such an unusable system?
Note: I know there are scripts that are ran every few minutes "to keep the LDAP passwords and other passwords in sync", but I do not have root access to the server nor will be given at any point.
Just let the users change their passwords themselves, e. g. with the Self Service Password script from the LTB project.
If you're looking for a nice LDAP client I can recommend Apache Directory Studio.