[Ltb-users] self-service-password authentication problems

Clément OUDOT clem.oudot at gmail.com
Tue Sep 3 09:37:27 CEST 2013


2013/9/2 Dirk Försterling <df at edelknorz.de>

> Clément OUDOT schrieb:
> >
> >
> >
> > 2013/8/30 Dirk Försterling <df at edelknorz.de <mailto:df at edelknorz.de>>
> >
> >     Clément OUDOT schrieb:
> >     >
> >     >
> >     >
> >     > 2013/8/30 Dirk Försterling <df at edelknorz.de
> >     <mailto:df at edelknorz.de> <mailto:df at edelknorz.de
> >     <mailto:df at edelknorz.de>>>
> >     >
> >     >     Hello,
> >     >
> >     >     I recently encountered the same symptomps Tian Zhiying
> >     encountered in
> >     >     February. See:
> >     >
> >
> http://lists.ltb-project.org/pipermail/ltb-users/2013-February/000288.html
> >     >
> >     >     He managed to solve the problem by changing LDAP rights. In my
> >     case,
> >     >     however, the LDAP server just reports an anonyumous bind and
> >     >     refuses to process the password change for the (non-anonymous)
> >     user.
> >     >
> >     >     this happened with version 0.8 (from RPM) on RHEL 6. The
> >     solution that
> >     >     worked for me was to downgrade to 0.6 (with unchanged
> >     configuration).
> >     >
> >     >     What could be the reason why 0.8 does not authenticate to the
> LDAP
> >     >     server properly where 0.6 does?
> >     >
> >     >
> >     > Some changes have been done on the configuration (array for
> password
> >     > policy attributes for example).
> >     >
> >     > Could you send your configuration and some logs?
> >     >
> >     > Clément.
> >
> >     Attached is the config.inc.php (anonymized) that works with 0.6 but
> not
> >     with 0.8.
> >
> >     If I am reading the migration notes for 0.7 and 0.8 correctly,
> >     the config should work without modification, if I don't want the new
> >     features.
> >
> >     In the apache Log, there are only messages like this:
> >
> >     [Fri Aug 29 08:12:21 2013] [error] [client 192.168.160.111] LDAP -
> >     Modify password error 50 (Insufficient access)
> >
> >     Unfortunately I cannot send any logs from the LDAP server. The LDAP
> >     admin is out of reach and just told me there are anonymous BINDs
> before
> >     the password change attempt (when using 0.8).
> >
> >
> >
> > In your config there is:
> >
> > $ldap_binddn = "";
> > $ldap_bindpw = "";
> >
> >
> > Is it normal?
>
> Yes, because the password modification should be done with user
> credentials. Accordingly, I've set:
>
> $who_change_password = "user";
>
>

I try your configuration today and I can't reproduce your problem :


$ldap_url = "ldap://localhost";
$ldap_binddn = "";
$ldap_bindpw = "";
$ldap_base = "dc=example,dc=com";
$ldap_filter = "(&(objectClass=person)(uid={login}))";

$who_change_password = "user";


In OpenLDAP logs :

Sep  3 09:27:54 ader slapd[2231]: conn=1009 fd=22 ACCEPT from IP=
127.0.0.1:38088 (IP=0.0.0.0:389)
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=0 BIND dn="" method=128
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=0 RESULT tag=97 err=0 text=
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=1 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=person)(uid=coudot))"
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=2 BIND
dn="uid=coudot,ou=users,dc=example,dc=com" method=128
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=2 BIND
dn="uid=coudot,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=2 RESULT tag=97 err=0 text=
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=3 MOD
dn="uid=coudot,ou=users,dc=example,dc=com"
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=3 MOD attr=userPassword
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=3 RESULT tag=103 err=0 text=
Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=4 UNBIND
Sep  3 09:27:54 ader slapd[2231]: conn=1009 fd=22 closed



Could you try to get a network dump of the LDAP requests you have?


Clément.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ltb-project.org/pipermail/ltb-users/attachments/20130903/7439ab62/attachment.htm>


More information about the ltb-users mailing list