Summary | cannot change ldap password without anonymous bind allowed |
Queue | Passwd |
Queue Version | HEAD |
Type | Bug |
State | Resolved |
Priority | 2. Medium |
Owners | jan (at) horde (dot) org |
Requester | mi.braun (at) onlinehome (dot) de |
Created | 01/06/2006 (7137 days ago) |
Due | |
Updated | 05/08/2006 (7015 days ago) |
Assigned | 01/07/2006 (7136 days ago) |
Resolved | 01/14/2006 (7129 days ago) |
Github Issue Link | |
Github Pull Request | |
Milestone | |
Patch | No |
New Attachment: passwd-binddn2.diff
Here is the patch for this ticket (extract from
ticket 2756).I try to clean it with CODING_STANDARDS.
Say me if I forgot rules.
The password can only be changed by admindn or by the user himself.
So if the user can connect, then he can determine his own dn. This
binding needs to be possible, as ldap login does the same. But ldap
login uses the _passwd_username_hook.
Otherwise the admin can connect and he should be able to determine the
userdn too.
So if checking for userdn existance uses the _passwd_username_hook, it
should be fine.
I proposed such a patch in
bug 2756.sense to me. You could use the admindn parameters for that, it
doesn't *have* to be an admin user.
passwd/lib/Driver/ldap.php won't work.
It says:
// If we used admin bindings, we have to check the password here.
if (!empty($this->_params['admindn'])) {
$ldappasswd = ldap_get_values($this->_ds, $entry,
$this->_params['attribute']);
$result = $this->comparePasswords($ldappasswd[0], $old_password);
if (is_a($result, 'PEAR_Error')) {
return $result;
}
}
So if I use a non-privileged user as admindn, then this will certainly fail.
The usage of "guestdn" would allow to use a non-privileged user to
bind first for checking wether horde user exists in ldap and then to
use the identity of the horde user to change its own password.
sincerly,
m. braun
State ⇒ Resolved
sense to me. You could use the admindn parameters for that, it doesn't
*have* to be an admin user.
bug 2756.State ⇒ Assigned
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ cannot change ldap password without anonymous bind allowed
Queue ⇒ Passwd
New Attachment: passwd.diff
State ⇒ Unconfirmed
i've got horde used with an openldap server.
After updating passwd from cvs, I got several errors while changing my
ldap password by passwd.
1. $ssl is not defined (line 68)
I think testing $this->_params['sslhost'] is meant by this
undefined local variable.
2. "User not found" (Pear Error Message)
This is caused as my ldap server does not allow anonymous user to
read anything.
Therefor I'd like to introduce the optional "guestdn" und
"guestpw" configuration parameters.
3. ldap_get_values : attribute cannot be read
Although code (line 156) tests wether the shadowMin attribute is
avaliable within the record,
ldap_get_values fails to get it before.
So it'd like to suppress the warning mesage, as it is really no
searious error.
4. code things it binds as admin although bind done by user
This is caused by is_null being used instead of empty.
You find a patch to current CVS attached.
sincerly,
Mbraun