Issue #351 has been updated by Otrebor Otrebor.
Hello Clément
my apologies for using the wrong issue tracker.
Anyway, thanks for the swift response.
The content of file.ldif looks like this:
dn: uid=userid,ou=people,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: {SSHA}+bOvJ62QaQ56p96x9d2qD0nvIaNtPoRZ
Cheers
Otrebor
----------------------------------------
Bug #351: Allow binddn to be one that is not a manager
http://tools.lsc-project.org/issues/351
Author: Otrebor Otrebor
Status: Assigned
Priority: Normal
Assigned to: Clément OUDOT
Category: Self Service Password
Target version: self-service-password-0.7
Hello
we have a restricted LDAP, so connecting anonymously is allowed but won't
reveal any data.
So, to perform basic queries one needs to connect with either his user
credentials or a special user that is allowed to read a number of entries (eg:
uid=anonuser,ou=services,dc=example,dc=com)
With this in place, performing a password change fails with LDAP Error:
PHP Warning: ldap_mod_replace(): Modify: Insufficient access in
/srv/www/htdocs/self-service-password/lib/functions.inc.php on line 254,
referer: https://my.url.com/ssp/index.php
Although it seems to connect with the users' credentials.
Using ldapmodify -xv -D userdn -W -H ldapurl -f file.ldif from the command line
and from the very same system to change the password works without a problem.
So I presume it is not a permission problem within the ldap server.
the relevant config is like this:
$ldap_binddn = "uid=anonuser,ou=services,dc=example,dc=com";
$ldap_bindpw = "secret";
leaving this empty for anonymous access does not work.
and
$who_change_password = "user";
Also using Apache Directory Studio on the ldap server with the userdn and
password works.
The same is true if I add the ldap cn=manager,... into ldap_binddn. However we
consider this as a security risk if we have to keep the manager's binddn within
the config file.
I am not very familiar with php, so debugging this is a bit tricky for me.
Thanks for your support
Otrebor
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://tools.lsc-project.org/my/account
_______________________________________________
ltb-dev mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-dev
