[horde] Passwd Module - LDAP error, how to set userdn? more attempts

Stuart C. Naifeh scnaifeh at hotmail.com
Wed Jul 31 20:36:55 UTC 2013


No you just need to set $backends['ldap']['logout'] = true; (also in
backends.local.php) to force a logout after the password is updated in
LDAP.  Once the password has changed, the user needs to be forced to log
back in using the new password so horde can get its hands on the new auth
credentials.


On Wed, Jul 31, 2013 at 4:05 PM, Andy Dorman <adorman at ironicdesign.com>wrote:

> On 07/31/2013 12:58 PM, Stuart C. Naifeh wrote:
>
>> How about adding the following to backends.local.php:
>>
>> $backends['ldap']['params']['**userdn'] = 'uid=%u,ou=addresses,o=antespa*
>> *m.com <http://antespam.com>
>> ';
>>
>> You'd of course want to delete the line that sents
>> $backends['ldap']['params']['**userdn'] from hooks.php.  I also did not
>> need
>> to set $userid in a hook.  If you use the LDAP uid to log in to horde then
>> you probably don't need to, either.
>>
>
> Stuart, I believe you are moving us closer to a solution...I made the
> changes you suggested in passwd/backends.local.php.  Since it is already
> setting values for $backends['ldap'] in that file, I just uncommented and
> edited the userdn line that was already there as you can see below.
>
> NOTE.  Doing this goes against the NOTE the developers put in the source
> code below about seeing horde/config/hooks.php...
>
>
> // NOTE: to set the ldap userdn, see horde/config/hooks.php
> $backends['ldap'] = array(
>     'disabled' => false,
>     'driver' => 'ldap',
>     'logout' => true,
>     'name' => 'FanMailPlus',
>     'params' => array(
>         'host' => 'ldap.ironicdesign.com',
>         'port' => 389,
>         'basedn' => 'ou=addresses,o=antespam.com',
>         // LDAP object key attribute.
>         'uid' => 'uid',
>         // The attribute storing the password.
>         'attribute' => 'userPassword',
>         // These attributes will enable shadow password policies.
>         // 'shadowlastchange' => 'shadowLastChange',
>         // 'shadowmin' => 'shadowMin',
>         // This will be appended to the username when looking for the
> userdn.
>         'realm' => '',
>         // Use this filter when searching for the user's DN.
>         'filter' => '',
>         // Hash method to use when storing the password
>         'encryption' => 'plain',
>         // Whether to enable TLS for this LDAP connection
>         // Note: make sure that the host matches cn in the server
> certificate.
>         'tls' => false,
>         // Determine the user's DN. %u will be replaced by the user's ID.
>         'userdn' => 'uid=%u,ou=addresses,o=antespa**m.com<http://antespam.com>
> '
>     ),
>     'policy' => array(
>         'minLength' => 8,
>         'minNumeric' => 1,
>         'maxLength' => 128
>     ),
>     'preferred' => '',
> );
>
> The interesting thing is, when I tried it, it actually DID change my
> password (so the userdn was set correctly)...then crashed.
>
> HORDE: [imp] Mail server denied authentication. [pid 14389 on line 94 of
> "/usr/share/horde/imp/lib/**Imap/Exception.php"]
>
> OK, our horde config is set to use imp for authentication.  Perhaps if I
> switched to straight LDAP for auth?...I tried that, and again, it crashed
> after changing my password:
>
> HORDE: [imp] Mail server denied authentication. [pid 16424 on line 94 of
> "/usr/share/horde/imp/lib/**Imap/Exception.php"]
> HORDE: Bind failed: Invalid credentials [pid 16424 on line 247 of
> "/usr/share/php/Horde/Ldap.**php"]
>
> I was able to see the detailed trace for this error and as you can see,
> the userdn was fine...it just had the old password.
>
>     [message:protected] => Bind failed: Invalid credentials
>     [string:Exception:private] =>
>     [code:protected] => 49
>     [file:protected] => /usr/share/php/Horde/Ldap.php
>     [line:protected] => 247
>     [trace:Exception:private] => Array
>         (
>             [0] => Array
>                 (
>                     [file] => /usr/share/php/Horde/Core/**Factory/Ldap.php
>                     [line] => 79
>                     [function] => bind
>                     [class] => Horde_Ldap
>                     [type] => ->
>                     [args] => Array
>                         (
>                             [0] => uid=andydorman at comehome.net,**
> ou=addresses,o=antespam.com
>                             [1] => oldpassword
>                         )
> ...
>
> At this point, it looks like passwd/backends.local.php can set userdn just
> fine...but when the password is changed, we get a crash instead of a
> graceful logout.  I think I saw someone else report a similar problem about
> that earlier.
>
> --
> Andy Dorman
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.**org<horde-unsubscribe at lists.horde.org>
>
>


More information about the horde mailing list