2016-11-22 11:32 GMT+01:00 kc atgb <kisscoolandthegangb...@hotmail.fr>: > Le 2016-11-22 10:45, Clément OUDOT a écrit : >> 2016-11-21 18:24 GMT+01:00 k c <kisscoolandthegangb...@hotmail.fr>: >> >>> Looking at your logs, an idea came to my mind. I have a posthook >>> script >>> that manages the password history and prevents users to set an older >>> password for their account. >>> >>> I disabled posthook but the problem is still here. >> >> >> Indeed, I see no link between the posthook script and the issue you >> have. >> > > It is dependant of how ssp works, so it does his job (rollback password > if needed) after ssp have done the changes. But that'a another story. > >> >>> [Mon Nov 21 16:52:42.432046 2016] [:error] [pid 11565] [client >>> 10.75.1.57:43106] PHP Warning: ldap_get_values(): Cannot get the >>> value(s) of attribute Decoding error in >>> /usr/share/self-service-password/lib/functions.inc.php on line 259, >>> referer: >>> https://ssp.company.com/motdepasse/index.php?action=resetbytoken&token=44:qO4BudofumwxPJs1Nwe7VcsMYOf5uHMi79Qfge/nCWw=l1Qra33VKgZt9xsYiMpq6AUD5h98KSJoZi8= >> >> The error is here. I don't see why you get it only with resetbytoken >> and not in change mode. >> > I had a doubt about versions, so I have tested it again with 1.0.2 in > change mode and I can confirm I works well. > >> The issue may be linked to your LDAP Directory, which one are you >> using? >> > > openldap 2.4.40 2.4.40+dfsg-1+deb8u1 and I realize I have not specified > ssp version, I'm using 1.0.2. > >> >> What you can try is to get binary value for userPassword by changing >> this line in lib/functions.inc.php >> >> $userpassword = ldap_get_values($ldap, >> ldap_first_entry($ldap,$search_userpassword), "userPassword"); >> >> Into : >> >> $userpassword = ldap_get_values_len($ldap, >> ldap_first_entry($ldap,$search_userpassword), "userPassword;binary"); >> > > still the same :/ > > I don't know if that can help, but when I issue a ldapsearch operation, the > userPassword is base64 encoded.
I'm also using OpenLDAP, but LTB package, anyway it should not be the problem. This is logical that userPassword value in base64 encoded as ldapsearch is using LDIF to display results. I don't know why you get this error in resetbytoken as the code is the same than the one called in change mode. You may need to run a tcpdump to compare LDAP response in change mode and in resetbytoken. Clément. _______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org http://lists.ltb-project.org/listinfo/ltb-users
