Discussion:
[Ltb-users] ldap_bind : unbale to bind to server
Alessandro Bazoli
2015-04-14 15:21:13 UTC
Permalink
Hello all, I installed LTP , customized the config.inc.php on the apache running web server.
When I access the home page ssp.mydomain.local and I fill up details in order to change my password :
LOGIN -> My AD username (is part of domain administrator group)
OLD PASSWORD --> My AD password
NEW PASSWORD --> the new password chosen
CONFIRM -->repeat the new password

I get the error as from the gui snapshot attached and I can see an error in the logfile :

error] [client 192.168.0.165] PHP Warning: ldap_bind(): Unable to bind to server: Invalid credentials in /usr/share/self-service-password/pages/change.php on line 89, referer: http://192.168.0.207/
[Tue Apr 14 15:39:45 2015] [error] [client 192.168.0.165] LDAP - Bind error 49 (Invalid credentials), referer: http://192.168.0.207/
[Tue Apr 14 15:39:45 2015] [error] [client 192.168.0.165] PHP Notice: Undefined index: changehelpextramessage in /usr/share/self-service-password/pages/change.php on line 184, referer: http://192.168.0.207

Could you please advise me how do I troubleshooting and solve the issue?
Thanks
Best Regards
Alessandro
Clément OUDOT
2015-04-14 16:20:33 UTC
Permalink
Post by Alessandro Bazoli
Hello all, I installed LTP , customized the config.inc.php on the apache
running web server.
When I access the home page ssp.mydomain.local and I fill up details in
LOGIN –> My AD username (is part of domain administrator group)
OLD PASSWORD à My AD password
NEW PASSWORD à the new password chosen
CONFIRM àrepeat the new password
error] [client 192.168.0.165] PHP Warning: ldap_bind(): Unable to bind to
server: Invalid credentials in
http://192.168.0.207/
[Tue Apr 14 15:39:45 2015] [error] [client 192.168.0.165] LDAP - Bind error
49 (Invalid credentials), referer: http://192.168.0.207/
Undefined index: changehelpextramessage in
http://192.168.0.207
Could you please advise me how do I troubleshooting and solve the issue?
Thanks
Seems you have a configuration mistake for the Bind DN and Bind
Password, check them.


Clément.
Alessandro Bazoli
2015-04-14 16:24:53 UTC
Permalink
I use dsquery on DC to get proper BIND DN strings and got over that issue.
Now connects ok, but when trying to change password through the GUI I get this error message in the log :

[Tue Apr 14 17:18:46 2015] [error] [client 192.168.0.165] PHP Warning: ldap_get_dn() expects parameter 2 to be resource, boolean given in /usr/share/self-service-password/pages/change.php on line 112, referer: http://192.168.0.207/

Any idea of that?
Thanks
Alessandro


-----Original Message-----
From: Clément OUDOT [mailto:***@gmail.com]
Sent: 14 April 2015 17:21
To: Alessandro Bazoli
Cc: ltb-***@lists.ltb-project.org
Subject: Re: [Ltb-users] ldap_bind : unbale to bind to server
Post by Alessandro Bazoli
Hello all, I installed LTP , customized the config.inc.php on the apache
running web server.
When I access the home page ssp.mydomain.local and I fill up details in
LOGIN –> My AD username (is part of domain administrator group)
OLD PASSWORD à My AD password
NEW PASSWORD à the new password chosen
CONFIRM àrepeat the new password
error] [client 192.168.0.165] PHP Warning: ldap_bind(): Unable to bind to
server: Invalid credentials in
http://192.168.0.207/
[Tue Apr 14 15:39:45 2015] [error] [client 192.168.0.165] LDAP - Bind error
49 (Invalid credentials), referer: http://192.168.0.207/
Undefined index: changehelpextramessage in
http://192.168.0.207
Could you please advise me how do I troubleshooting and solve the issue?
Thanks
Seems you have a configuration mistake for the Bind DN and Bind
Password, check them.


Clément.
Clément OUDOT
2015-04-15 08:25:14 UTC
Permalink
Post by Alessandro Bazoli
I use dsquery on DC to get proper BIND DN strings and got over that issue.
[Tue Apr 14 17:18:46 2015] [error] [client 192.168.0.165] PHP Warning: ldap_get_dn() expects parameter 2 to be resource, boolean given in /usr/share/self-service-password/pages/change.php on line 112, referer: http://192.168.0.207/
Seems the user account is not found.


Clément.
Alessandro Bazoli
2015-04-15 11:39:22 UTC
Permalink
I feel probably I haven’t edit properly the 3 red/bold coded variables below

User “abazoli” is the samid of the user trying to change its password (see attachment)

1st attempt) in the LOGIN field he just places abazoli

2nd attempt) in the LOGIN filed he just places ***@peerius.local<mailto:***@peerius.local>



Both trials end up with LOGIN OR PASSWORD INCORRECT in the GUI splash screen and with this error in the error_log file.

1) [error] [client 192.168.0.165] LDAP - User abazoli not found, referer: http://ssp.peerius.local/

2) [error] [client 192.168.0.165] LDAP - User ***@peerius.local not found, referer: http://ssp.peerius.local/







$ldap_binddn refers to an administrator account with samid abazoliadmin and $ldap_bindpw refers to this admin account password.

I gather those credentials are used when $who_change_password is set to manager. Correct?





All the users meant to change their password are part of OU=London at the moment.

We also have another OU , which has other users in it but did not get to that stage yet





#==============================================================================

# Configuration

#==============================================================================

# LDAP

$ldap_url = "ldap://192.168.0.101:389";

$ldap_binddn = "cn=Alessandro Bazoli - Admin,ou=London,dc=peerius,dc=local";

$ldap_bindpw = "password for user above";

$ldap_base = "ou=London,dc=peerius,dc=local";

$ldap_login_attribute = "uid";

$ldap_fullname_attribute = "cn";

$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))";

## other options I think are not the issue here

# Active Directory mode

$ad_mode = true;

$shadow_options['update_shadowLastChange'] = false;

# Hash mechanism for password:

$hash = "clear";

# Who changes the password?

$who_change_password = "manager";







-----Original Message-----
From: Clément OUDOT [mailto:***@gmail.com]
Sent: 15 April 2015 09:25
To: Alessandro Bazoli
Cc: ltb-***@lists.ltb-project.org
Subject: Re: [Ltb-users] ldap_bind : unbale to bind to server
Post by Alessandro Bazoli
I use dsquery on DC to get proper BIND DN strings and got over that issue.
[Tue Apr 14 17:18:46 2015] [error] [client 192.168.0.165] PHP Warning: ldap_get_dn() expects parameter 2 to be resource, boolean given in /usr/share/self-service-password/pages/change.php on line 112, referer: http://192.168.0.207/
Seems the user account is not found.





Clément.
Clément OUDOT
2015-04-15 11:41:53 UTC
Permalink
I feel probably I haven’t edit properly the 3 red/bold coded variables
below
Indeed, try :

$ldap_login_attribute = "sAMAccountName";


Clément.
Alessandro Bazoli
2015-04-15 12:12:35 UTC
Permalink
That indeed works! Thanks

If I set



$who_change_password = "manager";



I get ..



[Wed Apr 15 12:58:20 2015] [error] [client 192.168.0.165] PHP Warning: ldap_mod_replace(): Modify: Server is unwilling to perform in /usr/share/self-service-password/lib/functions.inc.php on line 275, referer: http://ssp.peerius.local/

[Wed Apr 15 12:58:20 2015] [error] [client 192.168.0.165] LDAP - Modify password error 53 (Server is unwilling to perform), referer: http://ssp.peerius.local/



If I set



$who_change_password = "user";



I get



[Wed Apr 15 13:00:03 2015] [error] [client 192.168.0.165] Cannot modify AD password as user, referer: http://ssp.peerius.local/



And on the front end I get
Password was refused by the LDAP directory

DO you think there is a problem with values I set in

$ldap_binddn = "cn=Alessandro Bazoli - Admin,ou=London,dc=peerius,dc=local";

$ldap_bindpw = "password for user above";

?



I check several times and those are correct, that is the admin user for AD.







-----Original Message-----
From: Clément OUDOT [mailto:***@gmail.com]
Sent: 15 April 2015 12:42
To: Alessandro Bazoli
Cc: ltb-***@lists.ltb-project.org
Subject: Re: [Ltb-users] ldap_bind : unbale to bind to server
Post by Alessandro Bazoli
I feel probably I haven’t edit properly the 3 red/bold coded
variables below
Indeed, try :



$ldap_login_attribute = "sAMAccountName";





Clément.
Clément OUDOT
2015-04-15 13:32:25 UTC
Permalink
Post by Alessandro Bazoli
That indeed works! Thanks
If I set
$who_change_password = "manager";
I get ..
ldap_mod_replace(): Modify: Server is unwilling to perform in
http://ssp.peerius.local/
[Wed Apr 15 12:58:20 2015] [error] [client 192.168.0.165] LDAP - Modify
http://ssp.peerius.local/
If I set
$who_change_password = "user";
I get
[Wed Apr 15 13:00:03 2015] [error] [client 192.168.0.165] Cannot modify AD
password as user, referer: http://ssp.peerius.local/
And on the front end I get
Password was refused by the LDAP directory
DO you think there is a problem with values I set in
$ldap_binddn = "cn=Alessandro Bazoli - Admin,ou=London,dc=peerius,dc=local";
$ldap_bindpw = "password for user above";
?
I check several times and those are correct, that is the admin user for AD.
Indeed, my fault, with PHP and AD you are forced to change the
password as manager.

The error you get with manager is because the password is not accepted
by AD. Try to set a more complex password.



Clément.
Alessandro Bazoli
2015-04-15 14:34:45 UTC
Permalink
Hi, I have set :

$ad_mode = false;

And password change of user abazoli did not give me any more errors.

The problem is that, despite success windows as from attachment, the password for user abazoli has not changed in AD.

I cannot see any special error in the log apart from some minor :




[Wed Apr 15 15:24:55 2015] [error] [client 192.168.0.165] PHP Notice: Undefined index: changehelpextramessage in /usr/share/self-service-password/pages/change.php on line 184, referer: http://ssp.peerius.local/

[Wed Apr 15 15:25:11 2015] [error] [client 192.168.0.165] PHP Notice: Undefined index: passwordchangedextramessage in /usr/share/self-service-password/pages/change.php on line 248, referer: http://ssp.peerius.local/



Do you have any idea why it has not change it?

Thanks

Alessandro





-----Original Message-----
From: Clément OUDOT [mailto:***@gmail.com]
Sent: 15 April 2015 14:32
To: Alessandro Bazoli
Cc: ltb-***@lists.ltb-project.org
Subject: Re: [Ltb-users] ldap_bind : unbale to bind to server
Post by Alessandro Bazoli
That indeed works! Thanks
If I set
$who_change_password = "manager";
I get ..
ldap_mod_replace(): Modify: Server is unwilling to perform in
http://ssp.peerius.local/
[Wed Apr 15 12:58:20 2015] [error] [client 192.168.0.165] LDAP -
http://ssp.peerius.local/
If I set
$who_change_password = "user";
I get
[Wed Apr 15 13:00:03 2015] [error] [client 192.168.0.165] Cannot
modify AD password as user, referer: http://ssp.peerius.local/
And on the front end I get
Password was refused by the LDAP directory
DO you think there is a problem with values I set in
$ldap_binddn = "cn=Alessandro Bazoli -
Admin,ou=London,dc=peerius,dc=local";
$ldap_bindpw = "password for user above";
?
I check several times and those are correct, that is the admin user for AD.
Indeed, my fault, with PHP and AD you are forced to change the password as manager.



The error you get with manager is because the password is not accepted by AD. Try to set a more complex password.







Clément.
Clément OUDOT
2015-04-20 11:11:01 UTC
Permalink
Post by Alessandro Bazoli
$ad_mode = false;
And password change of user abazoli did not give me any more errors.
The problem is that, despite success windows as from attachment, the
password for user abazoli has not changed in AD.
Undefined index: changehelpextramessage in
/usr/share/self-service-password/pages/change.php on line 184, referer:
http://ssp.peerius.local/
Undefined index: passwordchangedextramessage in
/usr/share/self-service-password/pages/change.php on line 248, referer:
http://ssp.peerius.local/
Post by Alessandro Bazoli
Do you have any idea why it has not change it?
If you do not set AD mode, password will be set in userPassword attribute,
which won't work in AD.

Clément.

Loading...