Tickets :: [#8192] smbldap: error changing password

6.0.0-alpha10

5/21/25

Summary	smbldap: error changing password
Queue	Passwd
Queue Version	3.1
Type	Bug
State	Resolved
Priority	2. Medium
Owners	jan (at) horde (dot) org
Requester	pedretti (at) eco (dot) unibs (dot) it
Created	04/14/2009 (5881 days ago)
Due
Updated	08/20/2009 (5753 days ago)
Assigned	08/18/2009 (5755 days ago)
Resolved	08/20/2009 (5753 days ago)
Milestone	3.1.2
Patch	No

08/20/2009 03:15:19 PM	Jan Schneider	Comment #12 State ⇒ Resolved	Reply to this comment
Okay, I consider this bug closed then.

08/20/2009 09:50:24 AM	pedretti (at) eco (dot) unibs (dot) it	Comment #11	Reply to this comment
Why would you want to disable resetting of the shadowlastchange attribute, if you use it. Or asked differently: why do you have shadowlastchange attributes if you don't use them? Well, yes, I granted write to it only to the admin user, when changing password with its privilege. It make sense to enable write to it to self users.

08/19/2009 09:03:49 PM	Jan Schneider	Comment #10	Reply to this comment
Why would you want to disable resetting of the shadowlastchange attribute, if you use it. Or asked differently: why do you have shadowlastchange attributes if you don't use them?

08/19/2009 02:31:01 PM	pedretti (at) eco (dot) unibs (dot) it	Comment #9	Reply to this comment
OK, I found the problem: passwd 3.0.1 inside ldap.php try to change only the "userPassword" ldap attribute when using smbldap backend. With 3.1.2 it also try to update the "shadowLastChange" ldap attribute which I was denying to self users. With 3.1.2 is possible to disable the "shadowLastChange" attribute but only for the ldap backend, not for the smbldap. To fix this what about merging smbldap backend inside the ldap one, where the smb attributes are enabled only if they are uncommented?

08/19/2009 10:41:44 AM	Jan Schneider	Comment #8	Reply to this comment
What is your configuration actually? And can you try to debug this on your own? Maybe the binding doesn't work the same like in Passwd 3.0.

08/19/2009 10:10:23 AM	pedretti (at) eco (dot) unibs (dot) it	Comment #7	Reply to this comment
Well, these are at least no errors from Horde anymore. It's exactly what the error message says: you don't have sufficient permissions to update the LDAP attributes. That's really strange, because with passwd 3.0.1 and the same configuration it's working fine.

08/19/2009 08:40:57 AM	Jan Schneider	Comment #6	Reply to this comment
Well, these are at least no errors from Horde anymore. It's exactly what the error message says: you don't have sufficient permissions to update the LDAP attributes.

08/19/2009 08:17:43 AM	pedretti (at) eco (dot) unibs (dot) it	Comment #5	Reply to this comment
Please try what I committed. I tried the FRAMEWORK_3 branch: it still does not work but some warnings are gone: same error message: * ErrorFailure in changing password for Account Economia: Insufficient access php warnings: Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access in /var/www/horde/passwd/lib/Driver/ldap.php on line 209 Warning: Cannot modify header information - headers already sent by (output started at /var/www/horde/passwd/lib/Driver/ldap.php:209) in /var/www/horde/passwd/templates/common-header.inc on line 4 Warning: Cannot modify header information - headers already sent by (output started at /var/www/horde/passwd/lib/Driver/ldap.php:209) in /var/www/horde/passwd/templates/common-header.inc on line 5

08/18/2009 12:27:36 PM	Jan Schneider	Comment #4 Taken from Horde Developers State ⇒ Feedback Milestone ⇒ 3.1.2	Reply to this comment
Please try what I committed.

08/18/2009 12:27:17 PM	CVS Commit	Comment #3	Reply to this comment
Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/passwd/docs/CHANGES?rt=horde&r1=1.79.2.32&r2=1.79.2.33&ty=u http://cvs.horde.org/diff.php/passwd/lib/Driver/ldap.php?rt=horde&r1=1.41.2.9&r2=1.41.2.10&ty=u http://cvs.horde.org/diff.php/passwd/lib/Driver/smbldap.php?rt=horde&r1=1.7.2.5&r2=1.7.2.6&ty=u

08/18/2009 12:22:28 PM	CVS Commit	Comment #2	Reply to this comment
Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/passwd/docs/CHANGES?rt=horde&r1=1.111&r2=1.112&ty=u http://cvs.horde.org/diff.php/passwd/lib/Driver/ldap.php?rt=horde&r1=1.59&r2=1.60&ty=u http://cvs.horde.org/diff.php/passwd/lib/Driver/smbldap.php?rt=horde&r1=1.20&r2=1.21&ty=u

04/16/2009 10:19:35 PM	Jan Schneider	State ⇒ Assigned Milestone ⇒ 3.1.1 Priority ⇒ 2. Medium Assigned to Horde Developers Assigned to Jan Schneider

04/14/2009 01:40:11 PM	pedretti (at) eco (dot) unibs (dot) it	Comment #1 Priority ⇒ 1. Low Type ⇒ Bug Summary ⇒ smbldap: error changing password Queue ⇒ Passwd Milestone ⇒ Patch ⇒ No State ⇒ Unconfirmed	Reply to this comment
Every time I try to change password after having configured the smbldap backend I get this message from Passwd: * ErrorFailure in changing password for Account Economia: Insufficient access and these php warnings: Warning: Missing argument 2 for Passwd_Driver_smbldap::_lookupdn(), called in /var/www/horde/passwd/lib/Driver/ldap.php on line 145 and defined in /var/www/horde/passwd/lib/Driver/smbldap.php on line 141 Notice: Undefined variable: passw in /var/www/horde/passwd/lib/Driver/smbldap.php on line 151 Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Insufficient access in /var/www/horde/passwd/lib/Driver/ldap.php on line 201 Warning: Cannot modify header information - headers already sent by (output started at /var/www/horde/passwd/lib/Driver/smbldap.php:141) in /var/www/horde/passwd/templates/common-header.inc on line 4 Warning: Cannot modify header information - headers already sent by (output started at /var/www/horde/passwd/lib/Driver/smbldap.php:141) in /var/www/horde/passwd/templates/common-header.inc on line 5 This is what I have in passwd backends.php: $backends['smbldap'] = array( 'name' => 'Account My Domain', 'preferred' => 'www.example.com', 'password policy' => array( 'minLength' => 3, 'maxLength' => 32 ), 'driver' => 'smbldap', 'params' => array( 'host' => 'ldap.my.domain.it', 'port' => 389, 'basedn' => 'ou=People,dc=my,dc=domain,dc=it', 'uid' => 'uid', // This will be appended to the username when looking for the userdn. 'realm' => '', 'encryption' => 'crypt', // Make sure the host == cn in the server certificate. 'tls' => false, // If any of the following attributes are commented out, they // won't be set on the LDAP server. 'lm_attribute' => 'sambaLMPassword', 'nt_attribute' => 'sambaNTPassword', // 'pw_set_attribute' => 'sambaPwdLastSet', // 'pw_expire_attribute' => 'sambaPwdMustChange', // The number of days until samba passwords expire. If this // is commented out, passwords will never expire. // 'pw_expire_time' => 180, ) );