[ltb-dev] [LDAP Tool Box - Bug #351] Allow binddn to be one that is not a manager

noreply at lsc-project.org noreply at lsc-project.org
Tue Nov 1 16:10:55 CET 2011

Issue #351 has been updated by Otrebor Otrebor.

btw I also had to change the make_md4_password() function to get samba working.
The mhash() function has been deprecated, see here: http://www.php.net/manual/en/book.mhash.php and was not available on my system.
quote: "This extension is obsoleted by Hash."

Here's my new code in functions.inc.php:

# Create MD4 password (Microsoft NT password format)
# Require mhash() function
function make_md4_password($password) {
#    $hash = strtoupper( bin2hex( mhash( MHASH_MD4, iconv( "UTF-8", "UTF-16LE", $password ) ) ) );
    $hash = strtoupper( hash( "md4", iconv( "UTF-8", "UTF-16LE", $password ) ) );
    return $hash;
Bug #351: Allow binddn to be one that is not a manager

Author: Otrebor Otrebor
Status: Assigned
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-?


we have a restricted LDAP, so connecting anonymously is allowed but won't reveal any data.
So, to perform basic queries one needs to connect with either his user credentials or a special user that is allowed to read a number of entries (eg: uid=anonuser,ou=services,dc=example,dc=com)

With this in place, performing a password change fails with LDAP Error:
PHP Warning: ldap_mod_replace(): Modify: Insufficient access in /srv/www/htdocs/self-service-password/lib/functions.inc.php on line 254, referer: https://my.url.com/ssp/index.php

Although it seems to connect with the users' credentials.

Using ldapmodify -xv -D userdn -W -H ldapurl -f file.ldif from the command line and from the very same system to change the password works without a problem.
So I presume it is not a permission problem within the ldap server.

the relevant config is like this:
$ldap_binddn = "uid=anonuser,ou=services,dc=example,dc=com";
$ldap_bindpw = "secret";

leaving this empty for anonymous access does not work.

$who_change_password = "user";

Also using Apache Directory Studio on the ldap server with the userdn and password works.
The same is true if I add the ldap cn=manager,... into ldap_binddn. However we consider this as a security risk if we have to keep the manager's binddn within the config file.

I am not very familiar with php, so debugging this is a bit tricky for me.

Thanks for your support

You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20111101/754e7e98/attachment.htm>

More information about the ltb-dev mailing list