Issue #351 has been updated by Clément OUDOT.
Otrebor Otrebor wrote: > Hi > > sorry for coming back late, but I only got back access to this system today. > > Yes, you were right regarding the permissions. > I gave the users the self modify permissions to > sambaNTPassword,sambaPwdLastSet,and userPassword. > Now, changing the user password via the Web-Form works as expected. > > However, what puzzles me is the fact that it still does not work via > email-tokens. Again I get "Insufficent Access". > > I assume, that I would need an ldap admin account for ldap_binddn to have > this working? > Am I correct on this? Yes, as you use a token, you cannot bind as user, so you need to bind as an administrator to change the password. ---------------------------------------- Bug #351: Allow binddn to be one that is not a manager http://tools.lsc-project.org/issues/351 Author: Otrebor Otrebor Status: Assigned Priority: Normal Assigned to: Clément OUDOT Category: Self Service Password Target version: self-service-password-? Hello we have a restricted LDAP, so connecting anonymously is allowed but won't reveal any data. So, to perform basic queries one needs to connect with either his user credentials or a special user that is allowed to read a number of entries (eg: uid=anonuser,ou=services,dc=example,dc=com) With this in place, performing a password change fails with LDAP Error: PHP Warning: ldap_mod_replace(): Modify: Insufficient access in /srv/www/htdocs/self-service-password/lib/functions.inc.php on line 254, referer: https://my.url.com/ssp/index.php Although it seems to connect with the users' credentials. Using ldapmodify -xv -D userdn -W -H ldapurl -f file.ldif from the command line and from the very same system to change the password works without a problem. So I presume it is not a permission problem within the ldap server. the relevant config is like this: $ldap_binddn = "uid=anonuser,ou=services,dc=example,dc=com"; $ldap_bindpw = "secret"; leaving this empty for anonymous access does not work. and $who_change_password = "user"; Also using Apache Directory Studio on the ldap server with the userdn and password works. The same is true if I add the ldap cn=manager,... into ldap_binddn. However we consider this as a security risk if we have to keep the manager's binddn within the config file. I am not very familiar with php, so debugging this is a bit tricky for me. Thanks for your support Otrebor -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://tools.lsc-project.org/my/account
_______________________________________________ ltb-dev mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-dev
