[ltb-dev] [LDAP Tool Box - Bug #351] Allow binddn to be one that is not a manager

noreply at lsc-project.org noreply at lsc-project.org
Tue Nov 1 15:22:54 CET 2011

Issue #351 has been updated by Otrebor Otrebor.


sorry for coming back late, but I only got back access to this system today.

Yes, you were right regarding the permissions.
I gave the users the self modify permissions to sambaNTPassword,sambaPwdLastSet,and userPassword.
Now, changing the user password via the Web-Form works as expected.

However, what puzzles me is the fact that it still does not work via email-tokens. Again I get "Insufficent Access".

I assume, that I would need an ldap admin account for ldap_binddn to have this working?
Am I correct on this?


Bug #351: Allow binddn to be one that is not a manager

Author: Otrebor Otrebor
Status: Assigned
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-?


we have a restricted LDAP, so connecting anonymously is allowed but won't reveal any data.
So, to perform basic queries one needs to connect with either his user credentials or a special user that is allowed to read a number of entries (eg: uid=anonuser,ou=services,dc=example,dc=com)

With this in place, performing a password change fails with LDAP Error:
PHP Warning: ldap_mod_replace(): Modify: Insufficient access in /srv/www/htdocs/self-service-password/lib/functions.inc.php on line 254, referer: https://my.url.com/ssp/index.php

Although it seems to connect with the users' credentials.

Using ldapmodify -xv -D userdn -W -H ldapurl -f file.ldif from the command line and from the very same system to change the password works without a problem.
So I presume it is not a permission problem within the ldap server.

the relevant config is like this:
$ldap_binddn = "uid=anonuser,ou=services,dc=example,dc=com";
$ldap_bindpw = "secret";

leaving this empty for anonymous access does not work.

$who_change_password = "user";

Also using Apache Directory Studio on the ldap server with the userdn and password works.
The same is true if I add the ldap cn=manager,... into ldap_binddn. However we consider this as a security risk if we have to keep the manager's binddn within the config file.

I am not very familiar with php, so debugging this is a bit tricky for me.

Thanks for your support

You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20111101/4bedd80b/attachment.htm>

More information about the ltb-dev mailing list