[Ltb-users] self-service-password authentication problems

Dirk Försterling df at edelknorz.de
Wed Sep 4 10:59:19 CEST 2013


Clément OUDOT schrieb:
> 
> 
> 
> 2013/9/2 Dirk Försterling <df at edelknorz.de <mailto:df at edelknorz.de>>
> 
>     Clément OUDOT schrieb:
>     >
>     >
>     >
>     > 2013/8/30 Dirk Försterling <df at edelknorz.de
>     <mailto:df at edelknorz.de> <mailto:df at edelknorz.de
>     <mailto:df at edelknorz.de>>>
>     >
>     >     Clément OUDOT schrieb:
>     >     >
>     >     >
>     >     >
>     >     > 2013/8/30 Dirk Försterling <df at edelknorz.de
>     <mailto:df at edelknorz.de>
>     >     <mailto:df at edelknorz.de <mailto:df at edelknorz.de>>
>     <mailto:df at edelknorz.de <mailto:df at edelknorz.de>
>     >     <mailto:df at edelknorz.de <mailto:df at edelknorz.de>>>>
>     >     >
>     >     >     Hello,
>     >     >
>     >     >     I recently encountered the same symptomps Tian Zhiying
>     >     encountered in
>     >     >     February. See:
>     >     >
>     >    
>     http://lists.ltb-project.org/pipermail/ltb-users/2013-February/000288.html
>     >     >
>     >     >     He managed to solve the problem by changing LDAP rights.
>     In my
>     >     case,
>     >     >     however, the LDAP server just reports an anonyumous bind and
>     >     >     refuses to process the password change for the
>     (non-anonymous)
>     >     user.
>     >     >
>     >     >     this happened with version 0.8 (from RPM) on RHEL 6. The
>     >     solution that
>     >     >     worked for me was to downgrade to 0.6 (with unchanged
>     >     configuration).
>     >     >
>     >     >     What could be the reason why 0.8 does not authenticate
>     to the LDAP
>     >     >     server properly where 0.6 does?
>     >     >
>     >     >
>     >     > Some changes have been done on the configuration (array for
>     password
>     >     > policy attributes for example).
>     >     >
>     >     > Could you send your configuration and some logs?
>     >     >
>     >     > Clément.
>     >
>     >     Attached is the config.inc.php (anonymized) that works with
>     0.6 but not
>     >     with 0.8.
>     >
>     >     If I am reading the migration notes for 0.7 and 0.8 correctly,
>     >     the config should work without modification, if I don't want
>     the new
>     >     features.
>     >
>     >     In the apache Log, there are only messages like this:
>     >
>     >     [Fri Aug 29 08:12:21 2013] [error] [client 192.168.160.111] LDAP -
>     >     Modify password error 50 (Insufficient access)
>     >
>     >     Unfortunately I cannot send any logs from the LDAP server. The
>     LDAP
>     >     admin is out of reach and just told me there are anonymous
>     BINDs before
>     >     the password change attempt (when using 0.8).
>     >
>     >
>     >
>     > In your config there is:
>     >
>     > $ldap_binddn = "";
>     > $ldap_bindpw = "";
>     >
>     >
>     > Is it normal?
> 
>     Yes, because the password modification should be done with user
>     credentials. Accordingly, I've set:
> 
>     $who_change_password = "user";
> 
> 
> 
> I try your configuration today and I can't reproduce your problem :
> 
> 
> $ldap_url = "ldap://localhost";
> $ldap_binddn = "";
> $ldap_bindpw = "";
> $ldap_base = "dc=example,dc=com";
> $ldap_filter = "(&(objectClass=person)(uid={login}))";
>  
> $who_change_password = "user";
> 
> 
> In OpenLDAP logs :
> 
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 fd=22 ACCEPT from
> IP=127.0.0.1:38088 <http://127.0.0.1:38088> (IP=0.0.0.0:389
> <http://0.0.0.0:389>)
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=0 BIND dn="" method=128
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=0 RESULT tag=97 err=0 text=
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=1 SRCH
> base="dc=example,dc=com" scope=2 deref=0
> filter="(&(objectClass=person)(uid=coudot))"
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=2 BIND
> dn="uid=coudot,ou=users,dc=example,dc=com" method=128
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=2 BIND
> dn="uid=coudot,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=2 RESULT tag=97 err=0 text=
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=3 MOD
> dn="uid=coudot,ou=users,dc=example,dc=com"
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=3 MOD attr=userPassword
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=3 RESULT tag=103 err=0 text=
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 op=4 UNBIND
> Sep  3 09:27:54 ader slapd[2231]: conn=1009 fd=22 closed
> 
> 
> 
> Could you try to get a network dump of the LDAP requests you have?
> 

While trying to make those, it suddenly worked. I asked the LDAP admin
about the changes, but there were none made (so he says).
So, it would remain an eternal mystery why (for a while) changing the
passwords worked with 0.6 but not 0.8 here. Sorry.

  -dirk

-- 
 Dirk Försterling  df at edelknorz.de


More information about the ltb-users mailing list