Changing password in AD doesn’t work

[tuchinsky]

Hello, I Apache with this config (I also tried nginx+uwsgi and the result is the same):

<VirtualHost passwd.example.org:80>
	ServerName passwd.example.org
	WSGIDaemonProcess change-passwd user=apache group=apache processes=1 threads=5
	WSGIScriptAlias / /var/www/html/change-passwd/app.py

	<Directory /var/www/html/change-passwd>
		WSGIProcessGroup change-passwd
		WSGIApplicationGroup %{GLOBAL}
		Require all granted
	</Directory>
</VirtualHost>

Apache successfully started and display main page, but if I try change password I get error "Error: 500 Internal Server Error":

[Fri Jul 07 13:18:21.143218 2017] [:error] [pid 106200] [remote 172.30.0.10:34204] Traceback (most recent call last):
[Fri Jul 07 13:18:21.143268 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/bottle.py", line 861, in _handle
[Fri Jul 07 13:18:21.143273 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     return route.call(**args)
[Fri Jul 07 13:18:21.143275 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/bottle.py", line 1731, in wrapper
[Fri Jul 07 13:18:21.143278 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     rv = callback(*a, **ka)
[Fri Jul 07 13:18:21.143281 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/var/www/html/change-passwd/app.py", line 34, in post_index
[Fri Jul 07 13:18:21.143284 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     change_password(form('username'), form('old-password'), form('new-password'))
[Fri Jul 07 13:18:21.143287 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/var/www/html/change-passwd/app.py", line 65, in change_password
[Fri Jul 07 13:18:21.143290 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     change_password_ad(*args)
[Fri Jul 07 13:18:21.143292 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/var/www/html/change-passwd/app.py", line 94, in change_password_ad
[Fri Jul 07 13:18:21.143295 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     c.extend.microsoft.modify_password(user_dn, new_pass, old_pass)
[Fri Jul 07 13:18:21.143298 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/extend/__init__.py", line 265, in modify_password
[Fri Jul 07 13:18:21.143301 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     controls)
[Fri Jul 07 13:18:21.143303 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/extend/microsoft/modifyPassword.py", line 50, in ad_modify_password
[Fri Jul 07 13:18:21.143306 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     controls)
[Fri Jul 07 13:18:21.143309 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/core/connection.py", line 1044, in modify
[Fri Jul 07 13:18:21.143312 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     response = self.post_send_single_response(self.send('modifyRequest', request, controls))
[Fri Jul 07 13:18:21.143314 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/strategy/sync.py", line 124, in post_send_single_response
[Fri Jul 07 13:18:21.143317 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     responses, result = self.get_response(message_id)
[Fri Jul 07 13:18:21.143320 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]   File "/usr/lib/python2.7/site-packages/ldap3/strategy/base.py", line 377, in get_response
[Fri Jul 07 13:18:21.143323 2017] [:error] [pid 106200] [remote 172.30.0.10:34204]     raise LDAPOperationResult(result=result['result'], description=result['description'], dn=result['dn'], message=result['message'], response_type=result['type'])
[Fri Jul 07 13:18:21.143327 2017] [:error] [pid 106200] [remote 172.30.0.10:34204] LDAPNoSuchObjectResult: LDAPNoSuchObjectResult - 32 - noSuchObject - OU=ADM,OU=HQ,DC=alt,DC=altarix,DC=ru - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: 'OU=ADM,OU=HQ,DC=alt,DC=altarix,DC=ru'

But the password check is successful:

[Fri Jul 07 13:18:08.841810 2017] [:error] [pid 106200] Unsuccessful attemp to change password for tak: Username or password is incorrect!

Then an error occurs only when trying to change the password

[jirutka]

What version of change-password do you have? 1.0.0 or the current master? I should admit that I haven’t tried it against Samba/AD after updating to ldap3 2.x (current master).

This error is clearly not related to WSGI.

[tuchinsky]

I have current master

If start the application manually (chmod +x app.py && ./app.py) - all work fine. This problem only occurs when I start change-password with third-party apps (such as apache+mod_wsgi, nginx+uwsgi or simple systemd unit script)

[jirutka]

That’s really weird…

[tuchinsky]

Do you have any ideas?

[jirutka]

No idea. I’ve just deployed new version to Samba server and it works. However, I’ve switched from uWSGI to Waitress and run it using waitress-serve, started by OpenRC runscript.

• OpenRC runscript for waitress
• runscript config for ldap-passwd-webui

If you use Alpine Linux, you can easily install it from the testing repository (and community/edge for py-waitress and py-ldap3); apk add ldap-passwd-webui-waitress, rc-service ldap-passwd-webui start.