Reset Password

[garana821]

Hello , Can you help me please with the following error

2017-03-15 11:40:25,187 DEBUG log 4894 140086331045632 log PROTOCOL:MODIFY response <[{'result': 53, 'referrals': None, 'description': 'unwillingToPerform', 'message': '0000001F: SvcErr: DSID-031A129B, problem 5003 (WILL_NOT_PERFORM), data 0\n\x00', 'dn': '', 'type': 'modifyResponse'}]> received via <ldaps://10.x.x.x:636 - ssl - user: accont@domain.com - not lazy - bound - open - <local: 10.x.x.x:59548 - remote: 10.x.x.x:636> - tls not started - listening - RestartableStrategy - internal decoder> 2017-03-15 11:40:25,187 DEBUG log 4894 140086331045632 log BASIC:done MODIFY operation, result thanks you

[kanayak123]

Hi there,

Its a protocol response from your Domain Controller. Your implementation is perfect. "unwillingToPerform" means either the password you submitted does not comply with your AD password policy or the user account that you have configured in the settings does not have permission to unlock and reset the password for the account you are trying to change the password for. Please refer to the document below and verify if your followed section 2 properly.

http://blogger.iamamazing.in/2016/10/web-based-python3-password-reset-tool.html?m=1

Also refer to " How to analyze the logs:" section.

[kanayak123]

Let me know if you still encounter issues.

[garana821]

The values were checked and correct and the problem persists. Try to do it with the administrator account and it did not work.

[kanayak123]

Just to rule out any bugs in the ldap3 library that I use for pyadselfservice, please uninstall the currently installed ldap3 and install the stable version that is tested successfully in my lab. To do that, run these commands and try again. pip3 uninstall ldap3 pip3 install ldap3==2.2.1

If you still get same error then it is do with your AD implementation and its password policy. The error message is self explanatory. It clearly indicates that the Domain Controller ldaps://10.x.x.x:636 is rejecting your password submission. You could search for "LDAP error code 53 unwillingToPerform" in the net and may get some clues.

[kanayak123]

Let me know how it goes. I am also trying to reproduce this error in my lab. If the issue still continues then see if you can upload logs after masking sensitive info.

[garana821]

Hi, the problem persists. the following error:

2017-03-16 08:48:58,559 DEBUG log 17273 140656721446656 log PROTOCOL:MODIFY response <[{'description': 'unwillingToPerform', 'dn': '', 'referrals': None, 'result': 53, 'message': '0000001F: SvcErr: DSID-031A129B, problem 5003 (WILL_NOT_PERFORM), data 0\n\x00', 'type': 'modifyResponse'}]> received via <ldaps://10.x.x.x:636 - ssl - user: accont@dominio.com - not lazy - bound - open - <local: 10.x.x.x:59598 - remote: 10.x.x.x:636> - tls not started - listening - RestartableStrategy - internal decoder> 2017-03-16 08:48:58,560 DEBUG log 17273 140656721446656 log BASIC:done MODIFY operation, result

I do not understand, if I change to UTF-16LE it executes perfectly, but when doing login it does not enter

[kanayak123]

ldap3 by default uses utf-16-le for encoding the password. Which version of Windows do you run for DC. I have tested my code again (with ldap3 v2.2.1) on Windows 2008 R2 and Windows 2012R2 DCs. Works fine. If you still feel its a bug, then I suggest you create an issue in https://github.com/cannatag/ldap3/issues. Im sure cannatag will have some suggestion.

[garana821]

When encode with utf-16: 2017-03-16 10:02:50,838 DEBUG log 18040 140128865224448 log PROTOCOL:MODIFY response <[{'dn': '', 'result': 0, 'description': 'success', 'type': 'modifyResponse', 'message': '', 'referrals': None}]> received via <ldaps://10.x.x.x:636 - ssl - user: accont@dominio.com - not lazy - bound - open - <local: 10.x.x.x:59614 - remote: 10.x.x.x:636> - tls not started - listening - RestartableStrategy - internal decoder> 2017-03-16 10:02:50,839 DEBUG log 18040 140128865224448 log BASIC:done MODIFY operation, result

adpassreset.py conn.extend.microsoft.modify_password(user_dn, newpass.encode('utf-16'), old_password=newpass)

[kanayak123]

Thats incorrect. newpass.encode('utf-16') will encode the password twice. Once with this code and again by ldap3. I can confirm that your deployment is correct. You are getting the 'success' message because the double encoded password is too long that it complied with your password policy and your DC accepted it. But it did not work when you tried to login because the password you entered is not the one, it is double encoded and became too long and there is no way to know it. Please do as below. Please download the fresh copy of adpassreset.py, overwrite the old one and do not change any code. Retry changing the password with really long password

[garana821]

It does not work, and the default LDAP3 library comes in UTF-8,

/usr/lib/python2.7/site-packages/ldap3/utils/config.py

On line 94 _DEFAULT_ENCODING = 'utf-8'

Change the file adpassreset.py was changed and the password was entered very long and it did not work

[kanayak123]

Pl refer to line 42 in /usr/lib/python2.7/site-packages/ldap3/extend/microsoft/modifyPassword.py. Its utf-16-le and its correct. If you feel its a encoding issue, you may try changing the encoding here. But do not apply encoding in adpassreset.py. If you could debug it, pl let me also know the root cause.

[garana821]

Where can I change the password policies in pyadselfservice, in the active directory you disable them ????

[kanayak123]

Hi,

There is no password policy in pyadselfservice. Its straight forward tool which just updates unicodePwd attribute in AD against successful validation. You may also do that through python interpreter using ldap3 bypassing pyadselfservice. But that wont help. There is no issue in pyadselfservice or ldap3. You can refer to below link on password policy for AD.

https://technet.microsoft.com/en-us/library/hh994572(v=ws.11).aspx

If possible change these temporarily and check. Wait for some time after changing and try again. Enforce password history - 0 Minimum password age - 0 Password must meet complexity requirements - Disabled Store passwords using reversible encryption - Disable

Let me know how it goes.

[kanayak123]

Hi,

Did you have a chance to debug this problem? You may bypass pyadselfservice and try to reset the password directly from python interpreter, using below script. Please change the values as appropriate. If this code returns True then pyadselfservice will also work. This will save a lot of your time in debugging, just in case you would like to troubleshoot it. Please also revert any changes that you might have done in ldap3 or just reinstall ldap3.

import ldap3, ssl
server = ldap3.Server(host = '192.168.xxx.xxx', port = int('636'), use_ssl=True, tls = ldap3.Tls(validate=ssl.CERT_NONE))
conn = ldap3.Connection(server, 'pyadselfservice@domain.local', password = 'P@asl3$$1', auto_bind=True)
conn.extend.microsoft.modify_password('CN=Test User,OU=Technology,DC=domain,DC=local', 'BmW&FferrariAut0', old_password=None)
print(str(conn.result))

To reinstall ldap3

pip3 uninstall ldap3
pip3 install ldap3==2.2.1

[garana821]

It works perfectly, change the password successfully.

conn.extend.microsoft.modify_password('CN=psistema Sistema,OU=Sistemas,OU=xx,OU=xxx Usuarios,DC=xxxx,DC=com', 'BmW&FferrariAut0', old_password=None) True

print(str(conn.result)) {'dn': u'', 'referrals': None, 'description': 'success', 'result': 0, 'message': u'', 'type': 'modifyResponse'} exit ()

[kanayak123]

Its the exact same code that pyadselfservice executes to change password at the final page after OTP validation. Please refer to line 22 and 122 in adpassreset.py. You have received "success" message here, it means there is NO problem anywhere. Can you please completely remove pyadselfservice and clone it again from GIT and reconfigure it. It may take 10 mins but its still worth than finding the changes you have done and reverting it, it may still break after. After you clone fresh, please do not make any changes in any files other than settings.py.

Ensure that you are using LDAP over SSL (636) port in settings.py. I can see in the logs that you are already using LDAPs but still just to reconfirm. Ensure that you are using a different credentials in settings.py (for executing reset, with sufficient privileges) AND you are trying to change password for a different user (requesting reset). The new password has to be different than the passwords that you have used in the past for this user. Use a new password which is complex enough

[garana821]

Hi, Do what you suggest and generate this error

Traceback (most recent call last): File "/usr/local/lib/python3.5/site-packages/django/core/handlers/exception.py", line 39, in inner response = get_response(request) File "/usr/local/lib/python3.5/site-packages/django/core/handlers/base.py", line 187, in _get_response response = self.process_exception_by_middleware(e, request) File "/usr/local/lib/python3.5/site-packages/django/core/handlers/base.py", line 185, in _get_response response = wrapped_callback(request, *callback_args, *callback_kwargs) File "/home/adminapl/pyadselfservice-master/pyadselfservice/validateuser/views.py", line 47, in ADValidate if form.is_valid(): File "/usr/local/lib/python3.5/site-packages/django/forms/forms.py", line 169, in is_valid return self.is_bound and not self.errors File "/usr/local/lib/python3.5/site-packages/django/forms/forms.py", line 161, in errors self.full_clean() File "/usr/local/lib/python3.5/site-packages/django/forms/forms.py", line 370, in full_clean self._clean_fields() File "/usr/local/lib/python3.5/site-packages/django/forms/forms.py", line 388, in _clean_fields value = field.clean(value) File "/usr/local/lib/python3.5/site-packages/nocaptcha_recaptcha/fields.py", line 71, in clean remoteip=self.get_remote_ip()) File "/usr/local/lib/python3.5/site-packages/nocaptcha_recaptcha/client.py", line 92, in submit httpresp = urlopen(req) File "/usr/local/lib/python3.5/urllib/request.py", line 162, in urlopen return opener.open(url, data, timeout) File "/usr/local/lib/python3.5/urllib/request.py", line 465, in open response = self._open(req, data) File "/usr/local/lib/python3.5/urllib/request.py", line 483, in _open '_open', req) File "/usr/local/lib/python3.5/urllib/request.py", line 443, in _call_chain result = func(args) File "/usr/local/lib/python3.5/urllib/request.py", line 1283, in https_open context=self._context, check_hostname=self._check_hostname) File "/usr/local/lib/python3.5/urllib/request.py", line 1242, in do_open raise URLError(err) urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:646)>

[kanayak123]

Are you accessing pyadselfservice through https? If so can you use http until the ldap part is successful. I don't want to dilute the issue here hence lets ignore this error for now and move on with http. I guess that error is due to SelfSSL that you deployed in your apache/webserver. Please retry through http.

[garana821]

I'm not using https, I start it this way: Python3 pyadselfservice / manage.py runserver 0.0.0.0:8080

[kanayak123]

How was it working before? Its the same code. The error is from django, if form.is_valid() means the form submitted with values. Its seems failing at recaptcha either while trying to validate your recaptcha site key or while validating your captcha.

[kanayak123]

Hi,

Any luck with the tool?

[kanayak123]

Closing ticket since no response from user.

[garana821]

Hi, The last configuration we made worked perfectly.

Thanks for the help!

Sorry I did not answer you sooner!

[kanayak123]

No problem. Glad it worked for you. Thanks for letting me know..