11-12-2011 08:47 AM
ASA running 8.4. I have password-management enabled on the tunnel group, LDAP over SSL enabled, yet when I test by setting an account to require password change after next login, the New Password Required page loads (clientless) and allows new password to be entered. After hitting continue, it returns to the username login page with this message above the username field
"
Cannot complete password change because the password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.
".
Yet I'm able to change the password at the same time from a workstation, so there is no gp policy that is denying the password change. We have it set to minimum days 0 and no complexity required. I am meeting the minimum length.
a debug output when I hit continue after entering new password:
[10068] Session Start
[10068] New request Session, context 0x74637d10, reqType = Modify Password
[10068] Fiber started
[10068] Creating LDAP context with uri=ldaps://192.168.102.15:636
[10068] Connect to LDAP server: ldaps://192.168.102.15:636, status = Successful
[10068] supportedLDAPVersion: value = 3
[10068] supportedLDAPVersion: value = 2
[10068] Binding as asauser
[10068] Performing Simple authentication for asauser to 192.168.102.15
[10068] LDAP Search:
Base DN = [DC=subdomain,DC=company,DC=com]
Filter = [userPrincipalName=useraccount@company.com]
Scope = [SUBTREE]
[10068] User DN = [CN=useraccount,CN=Users,DC=subdomain,DC=company,DC=com]
[10068] Talking to Active Directory server 192.168.102.15
[10068] Reading password policy for useraccount@company.com, dn:CN=useraccount,CN=Users,DC=subdomain,DC=company,DC=com
[10068] Read bad password count 0
[10068] Modify Password for useraccount@company.com successfully converted password to unicode
[10068] Fiber exit Tx=759 bytes Rx=2959 bytes, status=-1
[10068] Session End
Solved! Go to Solution.
11-15-2011 03:02 PM
If "asauser" is not yet a member of the "account operators" group, add it to this group.
There is an enhancement request to make this work without special privileges, see :
CSCtq54856 ENH: Support for Password Management w/o LDAP Login DN Admin Privileges
hth
Herbert
EDIT:
Just to clarify further for those hitting this thread in search for a solution to the same problem: the "asauser" in the example above is the user that is configured in the ASA's LDAP settings:
aaa-server ldap protocol ldap
aaa-server ldap (inside) host 10.0.0.2
server-port 636
ldap-base-dn cn=users,dc=CISCOTEST,dc=COM
ldap-login-password *****
ldap-login-dn asauser
ldap-over-ssl enable
server-type microsoft
So only this user (the one defined with "ldap-login-dn") needs to be in the account opertators group, not all vpn users.
11-15-2011 03:02 PM
If "asauser" is not yet a member of the "account operators" group, add it to this group.
There is an enhancement request to make this work without special privileges, see :
CSCtq54856 ENH: Support for Password Management w/o LDAP Login DN Admin Privileges
hth
Herbert
EDIT:
Just to clarify further for those hitting this thread in search for a solution to the same problem: the "asauser" in the example above is the user that is configured in the ASA's LDAP settings:
aaa-server ldap protocol ldap
aaa-server ldap (inside) host 10.0.0.2
server-port 636
ldap-base-dn cn=users,dc=CISCOTEST,dc=COM
ldap-login-password *****
ldap-login-dn asauser
ldap-over-ssl enable
server-type microsoft
So only this user (the one defined with "ldap-login-dn") needs to be in the account opertators group, not all vpn users.
11-23-2013 02:07 PM
Hi Herbert,
Ours is a Corporate one forest, one domain environment. Due to large company bureaucracy, it may not be possible that we are given Domain Admin or even Account Operators on entire domain.
We have delegated authority on each responsible OU.
I know its easy to just ask and get the group membership. Easier said than done.
Unless this enhancement request is implemented by Cisco, if we are able to bind using a delegated account in our OU, is that going to work?
Thanks,
Sandeep
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide