[Ltb-users] self-service-password authentication problems

Dirk Försterling df at edelknorz.de
Mon Sep 2 09:39:11 CEST 2013


Clément OUDOT schrieb:
> 
> 
> 
> 2013/8/30 Dirk Försterling <df at edelknorz.de <mailto:df at edelknorz.de>>
> 
>     Clément OUDOT schrieb:
>     >
>     >
>     >
>     > 2013/8/30 Dirk Försterling <df at edelknorz.de
>     <mailto:df at edelknorz.de> <mailto:df at edelknorz.de
>     <mailto:df at edelknorz.de>>>
>     >
>     >     Hello,
>     >
>     >     I recently encountered the same symptomps Tian Zhiying
>     encountered in
>     >     February. See:
>     >    
>     http://lists.ltb-project.org/pipermail/ltb-users/2013-February/000288.html
>     >
>     >     He managed to solve the problem by changing LDAP rights. In my
>     case,
>     >     however, the LDAP server just reports an anonyumous bind and
>     >     refuses to process the password change for the (non-anonymous)
>     user.
>     >
>     >     this happened with version 0.8 (from RPM) on RHEL 6. The
>     solution that
>     >     worked for me was to downgrade to 0.6 (with unchanged
>     configuration).
>     >
>     >     What could be the reason why 0.8 does not authenticate to the LDAP
>     >     server properly where 0.6 does?
>     >
>     >
>     > Some changes have been done on the configuration (array for password
>     > policy attributes for example).
>     >
>     > Could you send your configuration and some logs?
>     >
>     > Clément.
> 
>     Attached is the config.inc.php (anonymized) that works with 0.6 but not
>     with 0.8.
> 
>     If I am reading the migration notes for 0.7 and 0.8 correctly,
>     the config should work without modification, if I don't want the new
>     features.
> 
>     In the apache Log, there are only messages like this:
> 
>     [Fri Aug 29 08:12:21 2013] [error] [client 192.168.160.111] LDAP -
>     Modify password error 50 (Insufficient access)
> 
>     Unfortunately I cannot send any logs from the LDAP server. The LDAP
>     admin is out of reach and just told me there are anonymous BINDs before
>     the password change attempt (when using 0.8).
> 
> 
> 
> In your config there is:
> 
> $ldap_binddn = "";
> $ldap_bindpw = "";
> 
> 
> Is it normal?

Yes, because the password modification should be done with user
credentials. Accordingly, I've set:

$who_change_password = "user";

  -dirk

-- 
Dirk Försterling     df at edelknorz.de


More information about the ltb-users mailing list