This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:self-service-password:0.8:config_ldap [2012/10/20 09:28]
documentation:self-service-password:0.8:config_ldap [2017/01/25 12:09] (current)
Line 88: Line 88:
 $ad_options['​force_pwd_change'​] = true; $ad_options['​force_pwd_change'​] = true;
 </​file>​ </​file>​
 +You need to have a manager account on Active Directory with rights to change password of users. To set the minimum rights for this account, do the following:
 +  * Create a basic domain account without any additional privileges
 +  * Use Delegate control wizard within "User and computers",​ then
 +    * User Object
 +    * Reset Password
 +    * Write lockoutTime (if unlock is enabled)
 +    * Write shadowlastchange
 +If you enabled the [[config_questions|reset by questions feature]], you also need to give rights on the question attribute:
 +  * Right click the OU where you want delegation of permissions to propogate down from and select "​Delegate Control…"​
 +  * Add the account to delegate to, click Next
 +  * Create a custom task to delegate
 +  * Select the radio button for "Only the following objects in the folder",​ then select "User objects"​ at the bottom of the list, click Next
 +  * Select the "​Property-specific"​ checkbox only, then locate the attribute you are using to store the "Reset by questions"​ answer in.
 ==== Samba ==== ==== Samba ====
Line 104: Line 120:
 $shadow_options['​update_shadowLastChange'​] = true; $shadow_options['​update_shadowLastChange'​] = true;
 </​file>​ </​file>​
 +<note tip>​Shadow modifications will only be done on entries of class ''​shadowAccount''</​note>​