Tomas Kuliavas wrote:
>>>>> Hi,
>>>>>
>>>>> There is a weird problem with change password and squirrelmail 1.5.1.
>>>>> All passwords are stored in LDAP and they are sha-encoded.
>>>>>
>>>>> For example:{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=
>>>>>
>>>>> The problem is that when some of the users are trying to change their
>>>>> password, SM says: "Your old password is not correct".
>>>>>
>>>>> But, definately the password is correct! I've tried to change it using
>>>>> Horde and there are no problems at all.
>>>>>
>>>>>
>>>>> Another strange thing is that SM has no problem with other users'
>>>>> passwords that are also sha-encoded.
>>>>>
>>>>> Any ideas?
>>>>>
>>>> Why are you using change_ldappass plugin, when SquirrelMail 1.5.1
>>>> provides
>>>> change_password plugin?
>>>>
>>>> Are you using $ldap_bind_as_manager option in change_ldappass plugin?
>>>> Could
>>>> you show sha password entry that is not validated correctly? I also
>>>> need to
>>>> know password value used for verification. Plain text value of sha
>>>> encoded
>>>> password.
>>>>
>>> I'm not using the $ldap_bind_as_manager option.
>>>
>>> A password value that cannot be verified is: 1234
>>> Its sha value is: {SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=
>>>
>>> Thanks
>>>
>> I suspect the problem is in functions.php. There is the following line:
>>
>> if ($lpass != $cpass) {
>>
>>
>> For some reason this fails although the password is correct.
>
> You are not using $ldap_bind_as_manager option. Plugin does not compare
> passwords. It only locates user's dn and binds to ldap with provided
> password. Password is verified on ldap server. If ldap_bind fails,
> password is not correct.
>
> There are two places with "Your old password is not correct." message in
> change_ldappass plugin. If you are not using $ldap_bind_as_manager, you
> see message generated by ldap_bind call test in
> plugins/change_ldappass/functions.php 183 line. Enable $debug and check if
> second "BIND-DN: something" line matches user's dn. If it matches, remove
> @ symbol in line 183 and check errors generated in ldap_bind() call.
>
> 'if ($lpass != $cpass)' test should not fail. Text generated in
> "base64_encode( pack("H*",sha1('1234')));" call matches your sha password
> hash.
>
>
>> I you think the change_password is better then i'll try to use it.
>
> change_password plugin is bundled with SquirrelMail. It shows same
> password form to all users and it does not matter which password backend
> is used. If I could choose, I would prefer change_password over
> change_ldappass.
>
Debugging shows:
Connecting to LDAP Server
LDAP protocol version was set to 3
LDAP bind successful.
LDAP server: myserver
BIND-DN: anonymous
--------------------------------------------------------
count =>1
0 =>
count =>0
dn =>uid=myuser, ou=myou, ou=myou, dc=mydc,dc=mydc
--------------------------------------------------------
LDAP bind successful.
BIND-DN: uid=myuser, ou=myou, ou=myou, dc=mydc,dc=mydc
--------------------------------------------------------
count =>1
0 =>
userpassword =>
count =>1
0 =>{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=
0 =>userpassword
uid =>
count =>1
0 =>myuser
1 =>uid
count =>2
dn =>uid=myuser, ou=myou, ou=myou, dc=mydc,dc=mydc
--------------------------------------------------------
Password type is {SHA}
Your old password is not correct.
Stored Password: cRDtpNCeBiql5KOQsKVyrA0sAiA=
Old Password: cRDtpNCeBiql5KOQsKVyrA0sAiA=
If i remove @ from line 183, i get the same output.
I'll try to use change_password and see what happens.
Thanks
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
