[Ltb-users] [ltb-dev] Self Service Password is not working

Clément OUDOT clem.oudot at gmail.com
Tue Oct 9 11:37:44 CEST 2012


2012/10/9 Ramesh Kumar <ramesh at slideshare.com>:
> Please find the config.inc.php file and complete logs while I am trying to
> change the password from GUI.
>
> <?php
> #==============================================================================
> # LTB Self Service Password
> #
> # Copyright (C) 2009 Clement OUDOT
> # Copyright (C) 2009 LTB-project.org
> #
> # This program is free software; you can redistribute it and/or
> # modify it under the terms of the GNU General Public License
> # as published by the Free Software Foundation; either version 2
> # of the License, or (at your option) any later version.
> #
> # This program is distributed in the hope that it will be useful,
> # but WITHOUT ANY WARRANTY; without even the implied warranty of
> # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> # GNU General Public License for more details.
> #
> # GPL License: http://www.gnu.org/licenses/gpl.txt
> #
> #==============================================================================
>
> #==============================================================================
> # Configuration
> #==============================================================================
> # LDAP
...
>
> # Active Directory mode
> # true: use unicodePwd as password field
> # false: LDAPv3 standard behavior
> $ad_mode = true;
> # Force account unlock when password is changed
> $ad_options['force_unlock'] = true;
> # Force user change password at next login
> $ad_options['force_pwd_change'] = false;
>
> # Samba mode
> # true: update sambaNTpassword and sambaPwdLastSet attributes too
> # false: just update the password
> # Warning: this require mhash() to be installed on your system
> $samba_mode = false;
>
> # Shadow options - require shadowAccount objectClass
> # Update shadowLastChange
> $shadow_options['update_shadowLastChange'] = true;
>
> # Hash mechanism for password:
> # SSHA
> # SHA
> # SMD5
> # MD5
> # CRYPT
> # clear (the default)
> # This option is not used with ad_mode = true
> $hash = "SSHA";
>
> # Local password policy
> # This is applied before directory password policy
> # Minimal length
> $pwd_min_length = 10;
> # Maximal length
> $pwd_max_length = 1;
> # Minimal lower characters
> $pwd_min_lower = 1;
> # Minimal upper characters
> $pwd_min_upper = 1;
> # Minimal digit characters
> $pwd_min_digit = 1;
> # Minimal special characters
> $pwd_min_special = 1;
> # Definition of special characters
> $pwd_special_chars = "^a-zA-Z0-9";
> # Forbidden characters
> #$pwd_forbidden_chars = "@%";
> # Don't reuse the same password as currently
> $pwd_no_reuse = true;
> # Complexity: number of different class of character required
> $pwd_complexity = 2;
> # Show policy constraints message:
> # always
> # never
> # onerror
> $pwd_show_policy = "onerror";
>
> # Who changes the password?
> # Also applicable for question/answer save
> # user: the user itself
> # manager: the above binddn
> $who_change_password = "user";
>
> ## Questions/answers
> # Use questions/answers?
> # true (default)
> # false
> $use_questions = false;
>
> # Answer attribute should be hidden to users!
> $answer_objectClass = "extensibleObject";
> $answer_attribute = "info";
>
> # Extra questions (built-in questions are in lang/$lang.inc.php)
> #$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
>
> ## Token
> # Use tokens?
> # true (default)
> # false
> $use_tokens = true;
> # Crypt tokens?
> # true (default)
> # false
> $crypt_tokens = true;
> # Token lifetime in seconds
> $token_lifetime = "3600";
>
> ## Mail
> # LDAP mail attribute
> $mail_attribute = "mail";
> # Who the email should come from
> $mail_from = "admin at temporary.net";
> # Notify users anytime their password is changed
> $notify_on_change = true;
>
> # Display help messages
> $show_help = true;
>
> # Language
> $lang ="en";
>
> # Logo
> $logo = "style/ltb-logo.png";
>
> # Debug mode
> $debug = true;
>
> # Encryption, decryption keyphrase
> $keyphrase = "secret";
>
> # Where to log password resets - Make sure apache has write permission
> # By default, they are logged in Apache log
> $reset_request_log = "/var/log/self-service-password";
>
> ## CAPTCHA
> # Use Google reCAPTCHA (http://www.google.com/recaptcha)
> # Go on the site to get public and private key
> $use_recaptcha = false;
> $recaptcha_publickey = "";
> $recaptcha_privatekey = "";
> # Customize theme (see
> http://code.google.com/intl/de-DE/apis/recaptcha/docs/customization.html)
> # Examples: red, white, blackglass, clean
> $recaptcha_theme = "white";
>
> ?>
>
>
> ############# LOGS ###########
> ==> httpd/ssp_access_log <==
> 192.168.6.76 - - [09/Oct/2012:14:58:08 +0530] "POST / HTTP/1.1" 200 2011
> "http://192.168.6.180/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4)
> AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.79 Safari/537.4"
>
> ==> httpd/ssp_error_log <==
> [Tue Oct 09 14:58:08 2012] [error] [client 192.168.6.76] PHP Warning:
> ldap_get_values() [<a
> href='function.ldap-get-values'>function.ldap-get-values</a>]: Cannot get
> the value(s) of attribute Decoding error in
> /usr/share/self-service-password/pages/change.php on line 116, referer:
> http://192.168.6.180/
> [Tue Oct 09 14:58:08 2012] [error] [client 192.168.6.76] PHP Warning:
> preg_match_all() [<a
> href='function.preg-match-all'>function.preg-match-all</a>]: Compilation
> failed: missing terminating ] for character class at offset 2 in
> /usr/share/self-service-password/lib/functions.inc.php on line 153, referer:
> http://192.168.6.180/
>
> ==> ldap.log <==
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 fd=12 ACCEPT from
> IP=192.168.6.180:57467 (IP=0.0.0.0:389)
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=0 BIND dn="cn=admin,dc=ss"
> method=128
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=0 BIND dn="cn=admin,dc=ss"
> mech=SIMPLE ssf=0
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=0 RESULT tag=97 err=0 text=
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=1 SRCH base="dc=ss" scope=2
> deref=0 filter="(&(objectClass=inetOrgPerson)(uid=ramesh))"
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: search access to
> "dc=ss" "entry" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: search access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: search access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "objectClass" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: search access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: search access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "uid" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: search access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "entry" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (cn)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "cn" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (sn)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "sn" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (givenName)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "givenName" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (gidNumber)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "gidNumber" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (homeDirectory)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "homeDirectory" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (loginShell)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "loginShell" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (objectClass)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "objectClass" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result was in cache
> (objectClass)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result was in cache
> (objectClass)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (uid)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "uid" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (uidNumber)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "uidNumber" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (userPassword)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "userPassword" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: <= root access granted
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: read access granted
> by manage(=mwrscxd)
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=2 BIND anonymous
> mech=implicit ssf=0
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=2 BIND dn="cn=Ramesh
> Kumar,ou=people,dc=ss" method=128
> Oct  9 14:58:08 ldap01 slapd[5679]: => bdb_entry_get: found entry:
> "cn=ramesh kumar,ou=people,dc=ss"
> Oct  9 14:58:08 ldap01 slapd[5679]: => bdb_entry_get: found entry:
> "cn=defaultpwpolicy,ou=policies,dc=ss"
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: result not in cache
> (userPassword)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: auth access to
> "cn=Ramesh Kumar,ou=people,dc=ss" "userPassword" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: => acl_get: [1] attr userPassword
> Oct  9 14:58:08 ldap01 slapd[5679]: => acl_mask: access to entry "cn=Ramesh
> Kumar,ou=people,dc=ss", attr "userPassword" requested
> Oct  9 14:58:08 ldap01 slapd[5679]: => acl_mask: to value by "", (=0)
> Oct  9 14:58:08 ldap01 slapd[5679]: <= check a_dn_pat: cn=auther,dc=ss
> Oct  9 14:58:08 ldap01 slapd[5679]: <= check a_dn_pat: anonymous
> Oct  9 14:58:08 ldap01 slapd[5679]: <= acl_mask: [2] applying auth(=xd)
> (stop)
> Oct  9 14:58:08 ldap01 slapd[5679]: <= acl_mask: [2] mask: auth(=xd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => slap_access_allowed: auth access
> granted by auth(=xd)
> Oct  9 14:58:08 ldap01 slapd[5679]: => access_allowed: auth access granted
> by auth(=xd)
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=2 BIND dn="cn=Ramesh
> Kumar,ou=people,dc=ss" mech=SIMPLE ssf=0
> Oct  9 14:58:08 ldap01 slapd[5679]: => bdb_entry_get: found entry:
> "cn=ramesh kumar,ou=people,dc=ss"
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=2 RESULT tag=97 err=0 text=
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 op=3 UNBIND
> Oct  9 14:58:08 ldap01 slapd[5679]: conn=1045 fd=12 closed
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 fd=12 ACCEPT from
> IP=192.168.6.182:60016 (IP=0.0.0.0:389)
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 op=0 BIND dn="cn=admin,dc=ss"
> method=128
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 op=0 BIND dn="cn=admin,dc=ss"
> mech=SIMPLE ssf=0
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 op=0 RESULT tag=97 err=0 text=
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 op=1 SRCH base="dc=ss" scope=2
> deref=0 filter="(objectClass=*)"
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 op=1 SRCH attr=*
> structuralObjectClass entryCSN
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 op=1 SEARCH RESULT tag=101
> err=0 nentries=0 text=
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 op=2 UNBIND
> Oct  9 14:58:10 ldap01 slapd[5679]: conn=1046 fd=12 closed
> ##############################
>
> On GUI, its says: "Your password is too big"
>

See this paramter :

$pwd_max_length = 1;

Set it to 0 to remove max size test.

You also need to se ad_mode to false.

Please take a look at the documentation where all parameters are
described: http://ltb-project.org/wiki/documentation/self-service-password/latest/start

Clément.


More information about the ltb-users mailing list