Alexandros G. Fragkiadakis wrote:
> Alexandros G. Fragkiadakis wrote:
>> Tomas Kuliavas wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> There is a weird problem with change password and squirrelmail 1.5.1.
>>>>>>> All passwords are stored in LDAP and they are sha-encoded.
>>>>>>>
>>>>>>> For example:{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=
>>>>>>>
>>>>>>> The problem is that when some of the users are trying to change their
>>>>>>> password, SM says: "Your old password is not correct".
>>>>>>>
>>>>>>> But, definately the password is correct! I've tried to change it using
>>>>>>> Horde and there are no problems at all.
>>>>>>>
>>>>>>>
>>>>>>> Another strange thing is that SM has no problem with other users'
>>>>>>> passwords that are also sha-encoded.
>>>>>>>
>>>>>>> Any ideas?
>>>>>>>
>>>>>> Why are you using change_ldappass plugin, when SquirrelMail 1.5.1
>>>>>> provides
>>>>>> change_password plugin?
>>>>>>
>>>>>> Are you using $ldap_bind_as_manager option in change_ldappass plugin?
>>>>>> Could
>>>>>> you show sha password entry that is not validated correctly? I also
>>>>>> need to
>>>>>> know password value used for verification. Plain text value of sha
>>>>>> encoded
>>>>>> password.
>>>>>>
>>>>> I'm not using the $ldap_bind_as_manager option.
>>>>>
>>>>> A password value that cannot be verified is: 1234
>>>>> Its sha value is: {SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=
>>>>>
>>>>> Thanks
>>>>>
>>>> I suspect the problem is in functions.php. There is the following line:
>>>>
>>>> if ($lpass != $cpass) {
>>>>
>>>>
>>>> For some reason this fails although the password is correct.
>>> You are not using $ldap_bind_as_manager option. Plugin does not compare
>>> passwords. It only locates user's dn and binds to ldap with provided
>>> password. Password is verified on ldap server. If ldap_bind fails,
>>> password is not correct.
>>>
>>> There are two places with "Your old password is not correct." message in
>>> change_ldappass plugin. If you are not using $ldap_bind_as_manager, you
>>> see message generated by ldap_bind call test in
>>> plugins/change_ldappass/functions.php 183 line. Enable $debug and check if
>>> second "BIND-DN: something" line matches user's dn. If it matches, remove
>>> @ symbol in line 183 and check errors generated in ldap_bind() call.
>>>
>>> 'if ($lpass != $cpass)' test should not fail. Text generated in
>>> "base64_encode( pack("H*",sha1('1234')));" call matches your sha password
>>> hash.
>>>
>>>
>>>> I you think the change_password is better then i'll try to use it.
>>> change_password plugin is bundled with SquirrelMail. It shows same
>>> password form to all users and it does not matter which password backend
>>> is used. If I could choose, I would prefer change_password over
>>> change_ldappass.
>>>
>> Debugging shows:
>>
>> Connecting to LDAP Server
>> LDAP protocol version was set to 3
>> LDAP bind successful.
>> LDAP server: myserver
>> BIND-DN: anonymous
>>
>> --------------------------------------------------------
>>
>> count =>1
>> 0 =>
>> count =>0
>> dn =>uid=myuser, ou=myou, ou=myou, dc=mydc,dc=mydc
>>
>> --------------------------------------------------------
>>
>> LDAP bind successful.
>> BIND-DN: uid=myuser, ou=myou, ou=myou, dc=mydc,dc=mydc
>>
>> --------------------------------------------------------
>>
>> count =>1
>> 0 =>
>> userpassword =>
>> count =>1
>> 0 =>{SHA}cRDtpNCeBiql5KOQsKVyrA0sAiA=
>> 0 =>userpassword
>> uid =>
>> count =>1
>> 0 =>myuser
>> 1 =>uid
>> count =>2
>> dn =>uid=myuser, ou=myou, ou=myou, dc=mydc,dc=mydc
>>
>> --------------------------------------------------------
>>
>> Password type is {SHA}
>> Your old password is not correct.
>> Stored Password: cRDtpNCeBiql5KOQsKVyrA0sAiA=
>> Old Password: cRDtpNCeBiql5KOQsKVyrA0sAiA=
>>
>>
>> If i remove @ from line 183, i get the same output.
>> I'll try to use change_password and see what happens.
>>
>> Thanks
>>
>>
> The change_password plugin works fine, but does it sync the samba
> passwords too?
>
This issue is solved now. The problem was that some of the accounts had
an extra 'space' character at the end of the encoded password. This was
not visible by humans but trigerred errors in SM.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
--
squirrelmail-users mailing list
Posting Guidelines: http://www.squirrelmail.org/wiki/MailingListPostingGuidelines
List Address: squirrelmail-users@xxxxxxxxxxxxxxxxxxxxx
List Archives: http://news.gmane.org/thread.php?group=gmane.mail.squirrelmail.user
List Archives: http://sourceforge.net/mailarchive/forum.php?forum_id=2995
List Info: https://lists.sourceforge.net/lists/listinfo/squirrelmail-users
