6.0.0-git
2019-04-24

[#3229] cannot change ldap password without anonymous bind allowed
Summary cannot change ldap password without anonymous bind allowed
Queue Passwd
Queue Version HEAD
Type Bug
State Resolved
Priority 2. Medium
Owners jan (at) horde (dot) org
Requester mi.braun (at) onlinehome (dot) de
Created 2006-01-06 (4856 days ago)
Due
Updated 2006-05-08 (4734 days ago)
Assigned 2006-01-07 (4855 days ago)
Resolved 2006-01-14 (4848 days ago)
Milestone
Patch No

History
2006-05-08 22:21:10 reg (at) evolix (dot) fr Comment #8
New Attachment: passwd-binddn2.diff Download
Reply to this comment
Hi,



Here is the patch for this ticket (extract from ticket 2756).

I try to clean it with CODING_STANDARDS.

Say me if I forgot rules.
2006-01-15 18:15:38 mi (dot) braun (at) onlinehome (dot) de Comment #7 Reply to this comment
I'm sorry but I need to revoce what i just wrote. Please see the other bug.
2006-01-15 18:01:31 mi (dot) braun (at) onlinehome (dot) de Comment #6 Reply to this comment
Sorry, I just meaned _passwd_userdn_hook instead of _passwd_username_hook.
2006-01-15 17:55:22 mi (dot) braun (at) onlinehome (dot) de Comment #5 Reply to this comment
Okay, I don't need guestdn for the following reason:

The password can only be changed by admindn or by the user himself.

So if the user can connect, then he can determine his own dn. This 
binding needs to be possible, as ldap login does the same. But ldap 
login uses the _passwd_username_hook.

Otherwise the admin can connect and he should be able to determine the 
userdn too.



So if checking for userdn existance uses the _passwd_username_hook, it 
should be fine.

I proposed such a patch in bug 2756.
2006-01-15 13:32:01 mi (dot) braun (at) onlinehome (dot) de Comment #4 Reply to this comment
Committed, but I left out the guestdn changes that didn't make any
sense to me. You could use the admindn parameters for that, it
doesn't *have* to be an admin user.
But if I use the admindn parameters, then line 136ff of 
passwd/lib/Driver/ldap.php won't work.

It says:

         // If we used admin bindings, we have to check the password here.

         if (!empty($this->_params['admindn'])) {

             $ldappasswd = ldap_get_values($this->_ds, $entry,

                                           $this->_params['attribute']);

             $result = $this->comparePasswords($ldappasswd[0], $old_password);

             if (is_a($result, 'PEAR_Error')) {

                 return $result;

             }

         }



So if I use a non-privileged user as admindn, then this will certainly fail.

The usage of "guestdn" would allow to use a non-privileged user to 
bind first for checking wether horde user exists in ldap and then to 
use the identity of the horde user to change its own password.



sincerly,

   m. braun


2006-01-14 18:54:36 Jan Schneider Comment #3
State ⇒ Resolved
Reply to this comment
Committed, but I left out the guestdn changes that didn't make any 
sense to me. You could use the admindn parameters for that, it doesn't 
*have* to be an admin user.
2006-01-07 12:35:27 Jan Schneider Comment #2 Reply to this comment
See bug 2756.
2006-01-07 12:34:14 Jan Schneider Assigned to Jan Schneider
State ⇒ Assigned
 
2006-01-06 19:19:02 mi (dot) braun (at) onlinehome (dot) de Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 2. Medium
Summary ⇒ cannot change ldap password without anonymous bind allowed
Queue ⇒ Passwd
New Attachment: passwd.diff Download
Reply to this comment
Hi,



i've got horde used with an openldap server.

After updating passwd from cvs, I got several errors while changing my 
ldap password by passwd.



1. $ssl is not defined (line 68)

    I think testing $this->_params['sslhost'] is meant by this 
undefined local variable.



2. "User not found" (Pear Error Message)

    This is caused as my ldap server does not allow anonymous user to 
read anything.

    Therefor I'd like to introduce the optional "guestdn" und 
"guestpw" configuration parameters.



3. ldap_get_values : attribute cannot be read

    Although code (line 156) tests wether the shadowMin attribute is 
avaliable within the record,

    ldap_get_values fails to get it before.

    So it'd like to suppress the warning mesage, as it is really no 
searious error.



4. code things it binds as admin although bind done by user

    This is caused by is_null being used instead of empty.



You find a patch to current CVS attached.



sincerly,

   Mbraun

Saved Queries