[horde] Problems with PASSWD and LDAP

Jan Schneider jan at horde.org
Thu Jan 14 20:44:06 UTC 2016 

Please don't top-post.

Zitat von David Cunningham <dcunningham at additionnetworks.net>:

>> On Jan 13, 2016, at 5:11 AM, Jan Schneider <jan at horde.org> wrote:
>>
>>
>> Zitat von David Cunningham <dcunningham at additionnetworks.net>:
>>
>>> Hi All,
>>>
>>> I believe I could make this work with the following:
>>>
>>> ‘userdn’ => ‘uid=%u,ou=$d,ou=customers,dc=mecnet,dc=net
>>>
>>> If I set the domain manually after the first ou rather than using  
>>> ou=$d, everything works great.  But, it would appear that at some  
>>> point the string replace for $d was removed from the code.  This  
>>> once worked in the version for H3.
>>
>> You need to use the userdn() hook, as mentioned in backends.php.

> Can you give me an example of how to do that?  I tried and it did not work.
>
> The userdn should be:
>
> uid=fullemailaddress,ou=emaildomainname,ou=customers,dc=mecnet,dc=net

How did you try? Show us your hook and we can help you fixing it.

>>>> On Jan 12, 2016, at 1:09 PM, David Cunningham  
>>>> <dcunningham at additionnetworks.net> wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I am attempting to configure PASSWD to reset my LDAP passwords on  
>>>> my new Horde 5 installation, just like it once existed on my  
>>>> Horde 3 installation.
>>>>
>>>> I have the following backend configuration… matching my old one:
>>>>
>>>> <?php
>>>> $backends['ldap'] = array(
>>>>   'disabled' => false,
>>>>   'name' => 'Courier Mail Server',
>>>>   'preferred' => 'courier.additionnetworks.net',
>>>>   'driver' => 'Ldap',
>>>>   'policy' => array(
>>>>       'minLength' => 6,
>>>>       'minNumeric' => 1,
>>>>   ),
>>>>   'params' => array(
>>>>       'host' => 'courier.additionnetworks.net',
>>>>       'port' => 389,
>>>> 	'basedn' => 'ou=customers,dc=mecnet,dc=net',
>>>>       // LDAP object key attribute.
>>>>       'uid' => 'uid',
>>>>       // The attribute storing the password.
>>>>       //'attribute' => 'Password',
>>>>       // These attributes will enable shadow password policies.
>>>>       // 'shadowlastchange' => 'shadowLastChange',
>>>>       // 'shadowmin' => 'shadowMin',
>>>>       // This will be appended to the username when looking for  
>>>> the userdn.
>>>>       'realm' => '',
>>>>       // Use this filter when searching for the user's DN.
>>>>       'filter' => 'uid',
>>>>       // Hash method to use when storing the password
>>>>       'encryption' => 'crypt',
>>>>       // Whether to enable TLS for this LDAP connection
>>>>       // Note: make sure that the host matches cn in the server  
>>>> certificate.
>>>>       'tls' => false,
>>>>       // Determine the user's DN. %u will be replaced by the user's ID.
>>>>       // Alternatively, disable this option and instead use the 'userdn'
>>>>       // hook (config/hooks.php) to dynamically set the userdn.
>>>>       //'userdn' => 'uid=%u,ou=%d,ou=customers,dc=mecnet,dcnet'
>>>>   ),
>>>> );
>>>>
>>>>
>>>> When attempting to reset a password, I see this in my openldap logs:
>>>>
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201078 fd=18 ACCEPT  
>>>> from IP=216.20.10.19:33899 (IP=0.0.0.0:389)
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201078 fd=18 closed  
>>>> (connection lost)
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 fd=18 ACCEPT  
>>>> from IP=216.20.10.19:33900 (IP=0.0.0.0:389)
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=0 BIND  
>>>> dn="" method=128
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=0 RESULT  
>>>> tag=97 err=0 text=
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=1 SRCH  
>>>> base="" scope=0 deref=0 filter="(objectClass=*)"
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=1 SRCH  
>>>> attr=vendorName vendorVersion namingContexts altServer  
>>>> supportedExtension supportedControl supportedSASLMechanisms  
>>>> supportedLDAPVersion subschemaSubentry
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=1 SEARCH  
>>>> RESULT tag=101 err=0 nentries=1 text=
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=2 SRCH  
>>>> base="" scope=0 deref=0 filter="(objectClass=*)"
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=2 SRCH  
>>>> attr=subschemaSubentry
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=2 SEARCH  
>>>> RESULT tag=101 err=0 nentries=1 text=
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=3 SRCH  
>>>> base="cn=Subschema" scope=0 deref=0 filter="(objectClass=*)"
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=3 SRCH  
>>>> attr=attributeTypes dITContentRules dITStructureRules  
>>>> matchingRules matchingRuleUse nameForms objectClasses ldapSyntaxes
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=3 SEARCH  
>>>> RESULT tag=101 err=0 nentries=1 text=
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=4 BIND  
>>>> dn="uid=dcunningham at test.mecnet.net,ou=customers,dc=mecnet,dc=net"  
>>>> method=128
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=4 RESULT  
>>>> tag=97 err=49 text=
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 op=5 UNBIND
>>>> Jan 12 11:29:19 washington slapd[2489]: conn=201079 fd=18 closed
>>>>
>>>>
>>>> On my Horde 3 installation with the same settings, I get these  
>>>> entries in my logs, which DO work:
>>>>
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200569 fd=18 ACCEPT  
>>>> from IP=216.20.10.16:59812 (IP=0.0.0.0:389)
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200569 op=0 BIND  
>>>> dn="" method=128
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200569 op=0 RESULT  
>>>> tag=97 err=49 text=
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200569 op=1 SRCH  
>>>> base="ou=customers,dc=mecnet,dc=net" scope=2 deref=0  
>>>> filter="(uid=dcunningham at test.mecnet.net)"
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200569 op=1 SEARCH  
>>>> RESULT tag=101 err=0 nentries=1 text=
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200569 op=2 UNBIND
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200569 fd=18 closed
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 fd=18 ACCEPT  
>>>> from IP=216.20.10.16:59813 (IP=0.0.0.0:389)
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 op=0 BIND  
>>>> dn=“uid=dcunningham at test.mecnet.net,ou=test.mecnet.net,ou=customers,dc=mecnet,dc=net"  
>>>> method=128
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 op=0 BIND  
>>>> dn="uid=dcunningham at test.mecnet.net,ou=test.mecnet.net,ou=customers,dc=mecnet,dc=net" mech=SIMPLE  
>>>> ssf=0
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 op=0 RESULT  
>>>> tag=97 err=0 text=
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 op=1 MOD  
>>>> dn="uid=dcunningham at test.mecnet.net,ou=test.mecnet.net,ou=customers,dc=mecnet,dc=net"
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 op=1 MOD  
>>>> attr=userPassword
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 op=1 RESULT  
>>>> tag=103 err=0 text=
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 op=2 UNBIND
>>>> Jan 11 10:12:08 washington slapd[2489]: conn=200570 fd=18 closed
>>>>
>>>>
>>>> Any guidance would be appreciated.
>>>>
>>>> Dave
>>>> --
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>> --
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>>
>>
>> --
>> Jan Schneider
>> The Horde Project
>> http://www.horde.org/
>>
>> --
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org



-- 
Jan Schneider
The Horde Project
http://www.horde.org/

More information about the horde mailing list