[ltb-dev] [LDAP Tool Box - Bug #351] Allow binddn to be one that is not a manager

noreply at lsc-project.org noreply at lsc-project.org
Tue Nov 1 15:22:54 CET 2011


Issue #351 has been updated by Otrebor Otrebor.


Hi

sorry for coming back late, but I only got back access to this system today.

Yes, you were right regarding the permissions.
I gave the users the self modify permissions to sambaNTPassword,sambaPwdLastSet,and userPassword.
Now, changing the user password via the Web-Form works as expected.

However, what puzzles me is the fact that it still does not work via email-tokens. Again I get "Insufficent Access".

I assume, that I would need an ldap admin account for ldap_binddn to have this working?
Am I correct on this?

Thanks
Otrebor


----------------------------------------
Bug #351: Allow binddn to be one that is not a manager
http://tools.lsc-project.org/issues/351

Author: Otrebor Otrebor
Status: Assigned
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-?


Hello

we have a restricted LDAP, so connecting anonymously is allowed but won't reveal any data.
So, to perform basic queries one needs to connect with either his user credentials or a special user that is allowed to read a number of entries (eg: uid=anonuser,ou=services,dc=example,dc=com)

With this in place, performing a password change fails with LDAP Error:
PHP Warning: ldap_mod_replace(): Modify: Insufficient access in /srv/www/htdocs/self-service-password/lib/functions.inc.php on line 254, referer: https://my.url.com/ssp/index.php

Although it seems to connect with the users' credentials.

Using ldapmodify -xv -D userdn -W -H ldapurl -f file.ldif from the command line and from the very same system to change the password works without a problem.
So I presume it is not a permission problem within the ldap server.

the relevant config is like this:
$ldap_binddn = "uid=anonuser,ou=services,dc=example,dc=com";
$ldap_bindpw = "secret";

leaving this empty for anonymous access does not work.

and
$who_change_password = "user";

Also using Apache Directory Studio on the ldap server with the userdn and password works.
The same is true if I add the ldap cn=manager,... into ldap_binddn. However we consider this as a security risk if we have to keep the manager's binddn within the config file.

I am not very familiar with php, so debugging this is a bit tricky for me.

Thanks for your support
Otrebor


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20111101/4bedd80b/attachment.htm>


More information about the ltb-dev mailing list