[ltb-dev] [LDAP Tool Box - Bug #351] Allow binddn to be one that is not a manager

noreply at lsc-project.org noreply at lsc-project.org
Tue Nov 1 16:10:55 CET 2011


Issue #351 has been updated by Otrebor Otrebor.


btw I also had to change the make_md4_password() function to get samba working.
The mhash() function has been deprecated, see here: http://www.php.net/manual/en/book.mhash.php and was not available on my system.
quote: "This extension is obsoleted by Hash."

Here's my new code in functions.inc.php:

# Create MD4 password (Microsoft NT password format)
# Require mhash() function
function make_md4_password($password) {
#    $hash = strtoupper( bin2hex( mhash( MHASH_MD4, iconv( "UTF-8", "UTF-16LE", $password ) ) ) );
    $hash = strtoupper( hash( "md4", iconv( "UTF-8", "UTF-16LE", $password ) ) );
    return $hash;
}
----------------------------------------
Bug #351: Allow binddn to be one that is not a manager
http://tools.lsc-project.org/issues/351

Author: Otrebor Otrebor
Status: Assigned
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-?


Hello

we have a restricted LDAP, so connecting anonymously is allowed but won't reveal any data.
So, to perform basic queries one needs to connect with either his user credentials or a special user that is allowed to read a number of entries (eg: uid=anonuser,ou=services,dc=example,dc=com)

With this in place, performing a password change fails with LDAP Error:
PHP Warning: ldap_mod_replace(): Modify: Insufficient access in /srv/www/htdocs/self-service-password/lib/functions.inc.php on line 254, referer: https://my.url.com/ssp/index.php

Although it seems to connect with the users' credentials.

Using ldapmodify -xv -D userdn -W -H ldapurl -f file.ldif from the command line and from the very same system to change the password works without a problem.
So I presume it is not a permission problem within the ldap server.

the relevant config is like this:
$ldap_binddn = "uid=anonuser,ou=services,dc=example,dc=com";
$ldap_bindpw = "secret";

leaving this empty for anonymous access does not work.

and
$who_change_password = "user";

Also using Apache Directory Studio on the ldap server with the userdn and password works.
The same is true if I add the ldap cn=manager,... into ldap_binddn. However we consider this as a security risk if we have to keep the manager's binddn within the config file.

I am not very familiar with php, so debugging this is a bit tricky for me.

Thanks for your support
Otrebor


-- 
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-dev/attachments/20111101/754e7e98/attachment.htm>


More information about the ltb-dev mailing list