6.0.0-beta1
7/22/25

[#3229] cannot change ldap password without anonymous bind allowed
Summary cannot change ldap password without anonymous bind allowed
Queue Passwd
Queue Version HEAD
Type Bug
State Resolved
Priority 2. Medium
Owners jan (at) horde (dot) org
Requester mi.braun (at) onlinehome (dot) de
Created 01/06/2006 (7137 days ago)
Due
Updated 05/08/2006 (7015 days ago)
Assigned 01/07/2006 (7136 days ago)
Resolved 01/14/2006 (7129 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
05/08/2006 10:21:10 PM reg (at) evolix (dot) fr Comment #8
New Attachment: passwd-binddn2.diff Download
Reply to this comment
Hi,



Here is the patch for this ticket (extract from ticket 2756).

I try to clean it with CODING_STANDARDS.

Say me if I forgot rules.
01/15/2006 06:15:38 PM mi (dot) braun (at) onlinehome (dot) de Comment #7 Reply to this comment
I'm sorry but I need to revoce what i just wrote. Please see the other bug.
01/15/2006 06:01:31 PM mi (dot) braun (at) onlinehome (dot) de Comment #6 Reply to this comment
Sorry, I just meaned _passwd_userdn_hook instead of _passwd_username_hook.
01/15/2006 05:55:22 PM mi (dot) braun (at) onlinehome (dot) de Comment #5 Reply to this comment
Okay, I don't need guestdn for the following reason:

The password can only be changed by admindn or by the user himself.

So if the user can connect, then he can determine his own dn. This 
binding needs to be possible, as ldap login does the same. But ldap 
login uses the _passwd_username_hook.

Otherwise the admin can connect and he should be able to determine the 
userdn too.



So if checking for userdn existance uses the _passwd_username_hook, it 
should be fine.

I proposed such a patch in bug 2756.
01/15/2006 01:32:01 PM mi (dot) braun (at) onlinehome (dot) de Comment #4 Reply to this comment
Committed, but I left out the guestdn changes that didn't make any
sense to me. You could use the admindn parameters for that, it
doesn't *have* to be an admin user.
But if I use the admindn parameters, then line 136ff of 
passwd/lib/Driver/ldap.php won't work.

It says:

         // If we used admin bindings, we have to check the password here.

         if (!empty($this->_params['admindn'])) {

             $ldappasswd = ldap_get_values($this->_ds, $entry,

                                           $this->_params['attribute']);

             $result = $this->comparePasswords($ldappasswd[0], $old_password);

             if (is_a($result, 'PEAR_Error')) {

                 return $result;

             }

         }



So if I use a non-privileged user as admindn, then this will certainly fail.

The usage of "guestdn" would allow to use a non-privileged user to 
bind first for checking wether horde user exists in ldap and then to 
use the identity of the horde user to change its own password.



sincerly,

   m. braun


01/14/2006 06:54:36 PM Jan Schneider Comment #3
State ⇒ Resolved
Reply to this comment
Committed, but I left out the guestdn changes that didn't make any 
sense to me. You could use the admindn parameters for that, it doesn't 
*have* to be an admin user.
01/07/2006 12:35:27 PM Jan Schneider Comment #2 Reply to this comment
See bug 2756.
01/07/2006 12:34:14 PM Jan Schneider Assigned to Jan Schneider
State ⇒ Assigned
 
01/06/2006 07:19:02 PM mi (dot) braun (at) onlinehome (dot) de Comment #1
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ cannot change ldap password without anonymous bind allowed
Queue ⇒ Passwd
New Attachment: passwd.diff Download
State ⇒ Unconfirmed
Reply to this comment
Hi,



i've got horde used with an openldap server.

After updating passwd from cvs, I got several errors while changing my 
ldap password by passwd.



1. $ssl is not defined (line 68)

    I think testing $this->_params['sslhost'] is meant by this 
undefined local variable.



2. "User not found" (Pear Error Message)

    This is caused as my ldap server does not allow anonymous user to 
read anything.

    Therefor I'd like to introduce the optional "guestdn" und 
"guestpw" configuration parameters.



3. ldap_get_values : attribute cannot be read

    Although code (line 156) tests wether the shadowMin attribute is 
avaliable within the record,

    ldap_get_values fails to get it before.

    So it'd like to suppress the warning mesage, as it is really no 
searious error.



4. code things it binds as admin although bind done by user

    This is caused by is_null being used instead of empty.



You find a patch to current CVS attached.



sincerly,

   Mbraun

Saved Queries