Does anyone have password changes working using a generic LDAP server, i.e. OpenLDAP? Or had it working in the past? I specifically mean generic, not Windows AD or any of the other "supported" LDAP servers that provide full password management functionality.
We're trying to simply change the password; nothing fancy. The IVE fails with the not very helpful error "Can't change password." I took a tcpdump of the LDAP communication between the IVE & server. Looking through the trace shows the IVE connect as admin, search for the user attempting to change their password, successfully finding the user, switching over to that user successfully, and then simply terminating the connection.
We've even switched on full debugging in OpenLDAP to see if there was anything strange happening that the network dump didn't show. Nothing, not a single error message. Everything proceeds perfectly right up to the point where the IVE closes the connection.
So, does anyone have this working with generic?
Unfortunately, changing passwords is only supported for AD, eDirectory, and iPlanet server types. (Administration Guide)
We're using 7.0, so I've been going by the 7.0 documentation. It has explicit differentiation between password management (expiration, complexity, warning) and password change.
7.0 Administration Guide - page 159
When authenticating against a generic LDAP server, such as IBM Secure Directory, the SA Series SSL VPN Appliance only supports authentication and allowing users to change their passwords.
And Table 9, directly below, shows the exact same thing: password change is supported, nothing else is.
Interesting to see that the section was rewritten between 6.5, 7.0, and 7.1.
Excellent suggestion, thank you!
It seems that when set to generic the SA simply stops after validating the old password. Changing to iPlanet caused it to immediately go to the next step of changing the password. Still failed unfortunately, but that was due to the password policy overlay. Disabled it and the password change worked just fine.
The actual reason for the failure was because the server wanted both the old and new password sent in the change request while the SA only sent the new password. Possibly due to the password reuse part of the policy.