[sork] [SOLVED] Re: passwd question

Craig White craigwhite at azapple.com
Sat Jun 21 03:16:11 UTC 2008


On Fri, 2008-06-20 at 08:37 -0700, Craig White wrote:
> On Fri, 2008-06-20 at 16:54 +0200, Jan Schneider wrote:
> > Zitat von Craig White <craigwhite at azapple.com>:
> > 
> > > On Thu, 2008-06-19 at 13:30 -0700, Craig White wrote:
> > >> For the first time, I downloaded installed Passwd (3.0.1 I think it is -
> > >> and latest Horde Release 3.2.1)
> > >>
> > >> I commented all items of backends.php out except for smbldap and
> > >> configured it to work as I would expect.
> > >>
> > >> I chose the smbldap because I would like it to change userPassword,
> > >> sambaLMPassword, sambaNTPassword attributes (the sambaLMPassword is
> > >> probably unnecessary but anyway)...
> > >>
> > >> I gave it my old and new passwords and I get this message on screen...
> > >>
> > >> Failure in changing password on Samba/LDAP Server: Insufficient access
> > >>
> > >> but all three passwords (userPassword, sambaLMPassword and
> > >> sambaNTPassword) seemed to have changed anyway.
> > >>
> > >> This is the ACL I'm using in LDAP...does this pose a problem?
> > >>
> > >> access to attrs=userPassword,sambaNTPassword,sambaLMPassword
> > >>         by dn.exact="uid=admin,ou=People,dc=example,dc=com" write
> > >>         by self write
> > >>         by anonymous auth
> > >>         by * none
> > >>
> > >> I've been using this ACL for a pretty long time in a number of
> > >> locations...
> > > ----
> > > I almost suspect that this occurs because of a note in backends.php...
> > >
> > > // NOTE: to set the ldap userdn, see horde/config/hooks.php
> > >
> > > but I don't see anything specifically in hooks.php that refers to the
> > > userdn at all and I do have some hooks that get the cn and mail
> > > attributes.
> > >
> > > So I am using the 'realm' attribute to provide the rest of the $userdn
> > > and I suspect that this is why I am getting the error - even though it
> > > actually changes all the passwords.
> > >
> > > If in fact, I grep for userdn in horde/config/hooks.php.dist, I get
> > > nothing at all.
> > >
> > > Should I write some kind of custom hook to return the actual userdn?
> > > Does something like this already exist?
> > 
> > The hook has been moved to Passwd, so grab a hook.php.dist copy either  
> > from Horde 3.1.x or from Passwd CVS HEAD.
> ----
> OK - set 'realm' in backends.php back to an empty string (again, this is
> using the smbldap configuration)
> 
> added to horde/config/hooks.php...
> 
> if (!function_exists('_passwd_hook_userdn')) {
> function _passwd_hook_userdn($auth)
>   {
> return 'uid=' . $auth . ',ou=people,dc=example,dc=com';
>   }
> }
> 
> (uid=craig,ou=people,dc=example,dc=com is my user DN - notwithstanding
> the substitution of example)
> 
> and logged in, changed my password and the same result...
> userPassword was changed
> sambaNTPassword was changed
> sambaLMPassword was probably changed (I don't use this attribute)
> but the screen gave the same error message as above (Insufficient
> access)
> 
> so it works but it reports a failure and like before, if I click on
> something like e-mail which requires login access, it fails and I have
> to login with my changed password.
> 
> # cat conf.php
> <?php
> /* CONFIG START. DO NOT CHANGE ANYTHING IN OR AFTER THIS LINE. */
> // $Horde: passwd/config/conf.xml,v 1.12 2005/10/09 14:48:58 jan Exp $
> $conf['menu']['apps'] = array('imp', 'ingo', 'kronolith', 'nag',
> 'turba');
> $conf['backend']['backend_list'] = 'hidden';
> $conf['user']['change'] = true;
> $conf['user']['refused'] = array('root', 'bin', 'daemon', 'adm', 'lp',
> 'shutdown', 'halt', 'uucp', 'ftp', 'anonymous', 'nobody', 'httpd',
> 'operator', 'guest', 'diginext', 'bind', 'cyrus', 'courier', 'games',
> 'kmem', 'mailnull', 'man', 'mysql', 'news', 'postfix', 'sshd', 'tty',
> 'www');
> $conf['password']['strengthtests'] = false;
> $conf['hooks']['full_name'] = true;
> $conf['hooks']['default_username'] = false;
> $conf['hooks']['username'] = false;
> $conf['hooks']['userdn'] = true;
----
OK - it's solved and I want to leave tracks for anyone that travels down
my path...

Nowhere in my ACL's do I deal with the attributes sambaPwdLastSet
sambaPwdMustChange

I ended up adding them to the ACL's for userPassword, sambaNTPassword
and sambaLMPassword so that 'self' specifically can write these
attributes and et voila, problem solved.

Thanks Jan

Craig



More information about the sork mailing list