2013/9/2 Dirk Försterling <[email protected]> > Clément OUDOT schrieb: > > > > > > > > 2013/8/30 Dirk Försterling <[email protected] <mailto:[email protected]>> > > > > Clément OUDOT schrieb: > > > > > > > > > > > > 2013/8/30 Dirk Försterling <[email protected] > > <mailto:[email protected]> <mailto:[email protected] > > <mailto:[email protected]>>> > > > > > > Hello, > > > > > > I recently encountered the same symptomps Tian Zhiying > > encountered in > > > February. See: > > > > > > http://lists.ltb-project.org/pipermail/ltb-users/2013-February/000288.html > > > > > > He managed to solve the problem by changing LDAP rights. In my > > case, > > > however, the LDAP server just reports an anonyumous bind and > > > refuses to process the password change for the (non-anonymous) > > user. > > > > > > this happened with version 0.8 (from RPM) on RHEL 6. The > > solution that > > > worked for me was to downgrade to 0.6 (with unchanged > > configuration). > > > > > > What could be the reason why 0.8 does not authenticate to the > LDAP > > > server properly where 0.6 does? > > > > > > > > > Some changes have been done on the configuration (array for > password > > > policy attributes for example). > > > > > > Could you send your configuration and some logs? > > > > > > Clément. > > > > Attached is the config.inc.php (anonymized) that works with 0.6 but > not > > with 0.8. > > > > If I am reading the migration notes for 0.7 and 0.8 correctly, > > the config should work without modification, if I don't want the new > > features. > > > > In the apache Log, there are only messages like this: > > > > [Fri Aug 29 08:12:21 2013] [error] [client 192.168.160.111] LDAP - > > Modify password error 50 (Insufficient access) > > > > Unfortunately I cannot send any logs from the LDAP server. The LDAP > > admin is out of reach and just told me there are anonymous BINDs > before > > the password change attempt (when using 0.8). > > > > > > > > In your config there is: > > > > $ldap_binddn = ""; > > $ldap_bindpw = ""; > > > > > > Is it normal? > > Yes, because the password modification should be done with user > credentials. Accordingly, I've set: > > $who_change_password = "user"; > >
I try your configuration today and I can't reproduce your problem : $ldap_url = "ldap://localhost";; $ldap_binddn = ""; $ldap_bindpw = ""; $ldap_base = "dc=example,dc=com"; $ldap_filter = "(&(objectClass=person)(uid={login}))"; $who_change_password = "user"; In OpenLDAP logs : Sep 3 09:27:54 ader slapd[2231]: conn=1009 fd=22 ACCEPT from IP= 127.0.0.1:38088 (IP=0.0.0.0:389) Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=0 BIND dn="" method=128 Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=0 RESULT tag=97 err=0 text= Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(&(objectClass=person)(uid=coudot))" Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=2 BIND dn="uid=coudot,ou=users,dc=example,dc=com" method=128 Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=2 BIND dn="uid=coudot,ou=users,dc=example,dc=com" mech=SIMPLE ssf=0 Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=2 RESULT tag=97 err=0 text= Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=3 MOD dn="uid=coudot,ou=users,dc=example,dc=com" Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=3 MOD attr=userPassword Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=3 RESULT tag=103 err=0 text= Sep 3 09:27:54 ader slapd[2231]: conn=1009 op=4 UNBIND Sep 3 09:27:54 ader slapd[2231]: conn=1009 fd=22 closed Could you try to get a network dump of the LDAP requests you have? Clément.
_______________________________________________ ltb-users mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-users
