cancel
Showing results for 
Search instead for 
Did you mean: 

Changing password using generic LDAP server?

Highlighted
New Contributor

Changing password using generic LDAP server?

Does anyone have password changes working using a generic LDAP server, i.e. OpenLDAP? Or had it working in the past? I specifically mean generic, not Windows AD or any of the other "supported" LDAP servers that provide full password management functionality.

We're trying to simply change the password; nothing fancy. The IVE fails with the not very helpful error "Can't change password." I took a tcpdump of the LDAP communication between the IVE & server. Looking through the trace shows the IVE connect as admin, search for the user attempting to change their password, successfully finding the user, switching over to that user successfully, and then simply terminating the connection.

We've even switched on full debugging in OpenLDAP to see if there was anything strange happening that the network dump didn't show. Nothing, not a single error message. Everything proceeds perfectly right up to the point where the IVE closes the connection.

So, does anyone have this working with generic?

Thanks!

-Chad

4 REPLIES 4
Highlighted
Respected Contributor

Re: Changing password using generic LDAP server?

Unfortunately, changing passwords is only supported for AD, eDirectory, and iPlanet server types. (Administration Guide)

Highlighted
New Contributor

Re: Changing password using generic LDAP server?

We're using 7.0, so I've been going by the 7.0 documentation. It has explicit differentiation between password management (expiration, complexity, warning) and password change.

7.0 Administration Guide - page 159

When authenticating against a generic LDAP server, such as IBM Secure Directory, the SA Series SSL VPN Appliance only supports authentication and allowing users to change their passwords.

And Table 9, directly below, shows the exact same thing: password change is supported, nothing else is.

Interesting to see that the section was rewritten between 6.5, 7.0, and 7.1.

Highlighted
Super Contributor

Re: Changing password using generic LDAP server?

For my centos-ds ldap servers, I configured them in my SA as iPlanet instead of generic since the CentOS (Red Hat) is based on the original iPlanet directory server. I have been using this configuration for some time and have not had any authentication/password management issues. I have not used OpenLDAP, so I'm not sure if this change would resolve your issue (or work).
Highlighted
New Contributor

Re: Changing password using generic LDAP server?

Excellent suggestion, thank you!

It seems that when set to generic the SA simply stops after validating the old password. Changing to iPlanet caused it to immediately go to the next step of changing the password. Still failed unfortunately, but that was due to the password policy overlay. Disabled it and the password change worked just fine.

The actual reason for the failure was because the server wanted both the old and new password sent in the change request while the SA only sent the new password. Possibly due to the password reuse part of the policy.