[sork] Passwd with Openldap

eculp at encontacto.net eculp at encontacto.net
Thu May 27 09:48:55 PDT 2004


Quoting David Wilson <dave at dcdata.co.za>:

> Hi guys,
>
> How are you ?
> I've used horde and some of it's modules for years and have always 
> found them brilliant.
>
> Currently I've installed an openldap-postfix-courier-imp solution.
> All email delivery and IMP is working 100% except for my passwod 
> changing via the "passwd" module.
> My users in LDAP are configured as "dn: 
> uid=davew,ou=users,dc=stjohns,dc=net" and my passwords are "crypt" 
> based, (userPassword attribute).
> When I change my password in passwd I get "Incorrect Password".
> My OpenLDAP, Turba, Horde, IMP and Passwd are all the latest stable versions.
> I've also recompiled my PHP with mhash and tried SSHA encryption for 
> passwords but still seem to pick up the same problem.
>
> I've got the following in my slapd.conf (perhaps I've messed up the 
> access here):
> index   objectClass  pres,eq
> index   mail,cn,uid  eq,sub
> access to attribute=userPassword
>        by self write
>        by anonymous read
>        by * none
> access to *
>         by * read
>
> And the following in my backends.php:
> $backends['ldap'] = array(
>     'name' => 'St. Johns directory',
>     'preferred' => '',
>     'password policy' => array(
>         'minLength' => 3,
>         'maxLength' => 8
>     ),
>     'driver' => 'ldap',
>     'params' => array(
>         'host' => 'localhost',
>         'port' => 389,
>         'basedn' => 'dc=stjohns,dc=net',
>         'uid' => 'uid',
> //        'realm' => 'dc=stjohns,dc=net', // this will be appended to 
> the username when
>                        // looking for the userdn.
> //        'userdn' => 'uid=' . Auth::getAuth() . ',ou=users',
>         'encryption' => 'crypt',
>     )
> );
>
>
>
> As far as I can see this is all correct ?
>
> Please have a look at this and correct me where I'm wrong.
> Thank you.
>

Do you not need to set the realm?

I first set the value of vdomain to the clean domain name (not
needed if not using virtual domains and complete the userdn as
below.

if (isset($_SERVER['HTTP_HOST'])) {
    $vdomain =
strtolower(preg_replace('/^mail\.|^www\.|^www\.mail\.|^mobile\.|^www\.mobile\./i',
'', $_SERVER['HTTP_HOST']));
}

//        'realm' => 'yourdomain.com'  if not using virtual
domains.
         'realm' => $vdomain,
         'userdn' => 'mail=' . Auth::getAuth() .
',ou=people,o=mydomain.org',

There is also a hook for an anonymous bind should you need it.

I'm not sure that this is the correct or best way to do it but it
works for me.

Hope this helps,

ed
ed



More information about the sork mailing list