[389-users] Re: ldapsearch doesn't return the userpassword field

2016-02-23 Thread Vincent Gerris 
Hi Janet,

You're welcome.
When it comes to these things that many people use, an online search will
help to find you what you need often.

Let us know how it works out.

Greetings,
Vincent
On 23 Feb 2016 14:54, "Janet Houser"  wrote:

> Hi Vincent,
>
> Thanks for the link!   It's much appreciated.   I'm afraid my PHP skills
> leave a lot to be desired  did I mention I
> hate PHP?  ;-)
>
>
>
> On 2/23/16 1:14 AM, Vincent Gerris wrote:
>
> Hi,
>
> Here is a script I used with 389 that worked fine for me a while back:
> http://ltb-project.org/wiki/documentation/self-service-password
>
> Greetings,
> Vincent
>
> On Tue, Feb 23, 2016 at 2:25 AM, William Brown  wrote:
>
>> Ignore the blank message. Email fail.
>>
>> On Mon, 2016-02-22 at 16:25 -0700, Janet Houser wrote:
>> > Thanks William,
>> >
>> > Hmmm then I'm puzzled why things are failing.
>> >
>> > For a little more detail as to what's going on
>> >
>> > I was asked to install squirrelmail on a system so user's could read
>> > their mail.   I installed
>> > the change_ldappasswd and everything appears working except for
>> actually
>> > changing the
>> > password.
>> >
>> > The system connects to my 389-ds server and a successful anonymous bind
>> > occurs.   It
>> > reads my password properly because if I enter it wrong, it will tell me
>> > so.   But when I try to
>> > change the password, I get an error saying it couldn't retrieve my old
>> > password from the LDAP
>> > server.
>> >
>> >  From an old post
>> > (http://comments.gmane.org/gmane.mail.squirrelmail.user/28454)  it
>> claims
>> > that this error means that the php script couldn't find the password
>> > field in the search results.
>> >
>> > I'm going off the assumption that because I don't see the userpassword
>> > SSHA field when I do
>> > a ldapsearch, this means it can't either, so it fails.
>>
>> Okay, I'm thinking this is a pretty old script. See, what's trying to do
>> is
>> likely to read the userPassword field into the PHP, then it will hash and
>> strcmp
>> on the php side, if it's the same, it says "yeah, you are who you claim
>> to be"
>> then it writes direct to the userPassword field (which we block in 389
>> anyway)
>>
>
> That's my take on it too.  It does the initial bind anonymously, but from
> the write statements
> it looks like it's finding the user properly, and the password.   It looks
> to go through a second
> bind to change the password and it's looking for the hashed password.
> Since this isn't a field
> that's shown with an ldap search, it's failing.
>
> I had tried to modify the script to not require the hashed password field,
> but my php skills are
> lacking.Did I mention I hate PHP?
>
>
>> >
>> > I'm hacking at the php script to put in print/echo statements to try to
>> > pinpoint the problem, but
>> > I'm thinking that it's doing a second bind to the LDAP server looking
>> > for this field.
>>
>> > I was hoping to try to see if this was the case by making the field
>> > available in a ldapsearch.
>> >
>> >
>> > I'll turn my attention back to the php script since I'd rather not
>> > compromise security on the
>> > LDAP server.
>>
>> Yeah, that's the risk here.
>>
>> I think the best bet might be to re-write the script or look for an
>> alternative.
>> You should probably be following this pattern:
>>
>> ask the user for the password and username
>> anonymously search for the user via the username and get the dn.
>> Once you have the dn, do an ldap bind for dn with password.
>>
>> If that FAILS returns errors about wrong passwords.
>> If that succeeds, you now have a connection bound as the user.
>> You can issue an ldap password change extended operation. There will be a
>> php
>> library that does this already for you.
>> Once that succeeds, the new password is in place.
>>
>>
>> The reason for this:
>>
>> First, you don't compromise the security of the userPassword attribute.
>>
>> 389 retains control of the hashing algo of the user, and it can apply
>> password
>> policies to the account.
>>
>>
>> You can simulate this on a command line, with the tool:
>>
>> ldappasswd
>>
>> This conducts the steps above.
>>
>> I hope that this helps you.
>>
>>
> Thanks for the steps and pointers, it helps.I'll see if I can update
> the script.   The link you sent should help me
> code the appropriate commands.Yeah...  did i mention I hate PHP?
> :-)
>
> Cheers,
>
>
>
>
>> --
>> Sincerely,
>>
>> William Brown
>> Software Engineer
>> Red Hat, Brisbane
>>
>>
>> --
>> 389 users mailing list
>> 389-users@%(host_name)s
>>
>> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>>
>
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)shttp://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
--
389 users mailing list

[389-users] Re: 389 server stops after Ansible "hangs up"

2016-02-23 Thread Joshua J. Kugler 
On Wednesday, February 24, 2016 14:57:20 William Brown wrote:
> Please do *not* use /etc/init.d scripts. You *must* use "service 
> "
> > Invoking this (via an ansible shell command) fails to work correctly as
> > well:
> > 
> > - name: Start Dirsrv
> >   shell: nohup screen -d -m /usr/sbin/start-dirsrv
> > 
> > So even trying to nohup + using screen to "background" it, it still shuts
> > down  immediately after that 'shell' stanza is done.
> > 
> > Even this fails: nohup screen -d -m /usr/sbin/start-dirsrv & disown
> 
> Yes, because this process forks into the background. You would expect it to
> go away.

Yes, I expect it to fork to the background, but thought that maybe it was 
still connected to the forground...somehow.



> That log shows a clean slapd shutdown, not a termination or crash.

Right.

> What happens if you use the ansible service module with - IE:
> 
> - name: Start dirsrv
>   sudo: yes 
>   action: service enabled=yes state=restarted 

I will set it up and run it again, but the same thing happened. That's how I 
originally found it. Actually, I did it with 'ipa' as the service, and the 
dirsrv part was stopping right away. The direct invocation of the startup 
scripts were subsequent trouble shooting.

> Have you got any esoteric arguments in say /etc/sysconfig/dirsrv? Are you
> adding extra cli args like -d 0 to ns-slapd? (That would certainly break it
> ... ).

No. Just the defaults + whatever IPA installer adds.

> Are you running your ansible playbooks at sudo? Trying to start ns-slapd
> without privileges would cause issues.

Yes, it's all as sudo (installation of packages and all other root-requiring 
sutff works).

> Can you see anything in /var/log/messages? 

I'll check, but if I remember correctly, no.

> When you use ansible to control ipa rather than dirsrv directly, does that
> have the same issue?

Yes, that's how I originally found the issue.

> I think the issue is not with dirsrv at all, but with your ansible
> environment and how you are trying to start / stop the services

This is a bog-standard ansible environment. Not sure what I would be doing 
wrong. All other services started by Ansible remain running after it 
disconnects.

j

-- 
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: pedah...@gmail.com
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] Re: 389 server stops after Ansible "hangs up"

2016-02-23 Thread William Brown 

> > 
> > Can you please post the output of sudo ipactl restart. I am suspicious
> > it's not a DS issue, but another component of IPA is failing that
> > causes the dirsrv to stop. 
> > 
> > Can you post the yml of the service command you were using?
> > 
> > What version of EL are you running? 
> 
> This is CentOS 6.7.  I could post the output of 'sudo ipactl restart' but 
> that 
> wouldn't show the problem.
> 
> 1) If I'm logged in to a shell (SSH) it works
> 2) If I do it via "ssh host 'command'" it works
> 
> It is only when I invoke it via Ansible that it shows this behavior. Also 
> noted: it behaves this way just stand alone (see above). Using just 
> /etc/init.d/dirsrv start, it will shut down as soon as the connection goes 
> away.  The attached log show the entire process from startup to shutdown.

Please do *not* use /etc/init.d scripts. You *must* use "service  
"

> 
> Invoking this (via an ansible shell command) fails to work correctly as well:
> 
> - name: Start Dirsrv
>   shell: nohup screen -d -m /usr/sbin/start-dirsrv
> 
> So even trying to nohup + using screen to "background" it, it still shuts 
> down 
> immediately after that 'shell' stanza is done.
> 
> Even this fails: nohup screen -d -m /usr/sbin/start-dirsrv & disown

Yes, because this process forks into the background. You would expect it to go
away.

> 
> The ansible output from just invoking /usr/sbin/start-dirsrv is:
> 
> changed: [192.168.122.12] => {"changed": true, "cmd": "/usr/sbin/start-
> dirsrv", "delta": "0:00:02.760271", "end": "2016-02-11 12:40:15.909214", 
> "rc": 
> 0, "start": "2016-02-11 12:40:13.148943", "stderr": "", "stdout": "Starting 
> instance \"KUGLER-LOCALDOMAIN\"\nStarting instance \"PKI-IPA\"", 
> "stdout_lines": ["Starting instance \"KUGLER-LOCALDOMAIN\"", "Starting 
> instance \"PKI-IPA\""], "warnings": []}
> 
> So it successfully starts. No errors. But then shuts down right away.


That log shows a clean slapd shutdown, not a termination or crash.

What happens if you use the ansible service module with - IE:

- name: Start dirsrv
  sudo: yes 
  action: service enabled=yes state=restarted 

Have you got any esoteric arguments in say /etc/sysconfig/dirsrv? Are you adding
extra cli args like -d 0 to ns-slapd? (That would certainly break it ... ).

Are you running your ansible playbooks at sudo? Trying to start ns-slapd without
privileges would cause issues.

Can you see anything in /var/log/messages? 

When you use ansible to control ipa rather than dirsrv directly, does that have
the same issue?

I think the issue is not with dirsrv at all, but with your ansible environment
and how you are trying to start / stop the services 

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane



signature.asc
Description: This is a digitally signed message part
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Re: cvs not keeping log messages

2016-02-23 Thread Rick Stevens 

On 02/23/2016 04:48 PM, awbestesq wrote:

hello,

this is likely not the correct forum to ask the question as to why cvs is not 
keeping log messages upon commit. can someone point me in the correct direction?


Possibly not, however are you committing using "-m" or are you invoking
the editor? If the latter, are you sure you're saving the edited
content?

--
- Rick Stevens, Systems Engineer, AllDigitalri...@alldigital.com -
- AIM/Skype: therps2ICQ: 226437340   Yahoo: origrps2 -
--
-   The Theory of Rapitivity: E=MC Hammer-
-  -- Glenn Marcus (via TopFive.com) -
--
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

cvs not keeping log messages

2016-02-23 Thread awbestesq 
hello,

this is likely not the correct forum to ask the question as to why cvs is not 
keeping log messages upon commit. can someone point me in the correct direction?

thanks,
awb

reticulate - being or involving evolutionary change dependent on genetic 
recombination involving diverse interbreeding populations 
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

[389-users] Re: ldapsearch doesn't return the userpassword field

2016-02-23 Thread William Brown 
On Tue, 2016-02-23 at 06:59 -0700, Janet Houser wrote:
> Hi William,
> 
> Thank you for looking into the issue.   I appreciate the input. Vincent 
> sent along a script that should
> help with modifying the current php files.
> 
> I appreciate your time and pointers on how to get things working. (Did I 
> mention I hate PHP?   ;-)   )
> 
> If I manage to get the script updated and working, would you like me to 
> send it along?

Sure, it would be good to have for any one in the future with a similar problem.

-- 
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane



signature.asc
Description: This is a digitally signed message part
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

[389-users] "manage certificates" broken in admin console after running setup-ds-admin.pl -u

2016-02-23 Thread Torgersen, Eric A 
I am testing upgrading from 1.3.4.0-21.el7_2 to 1.3.4.0-26.el7_2.  After the 
upgrade, I have noticed that "Manage Certificates" no longer works in the admin 
console.  I receive the following error: "NSS shutdown failed: error 
-8038:unknown."

After doing some additional testing, it appears that just running 
"setup-ds-admin.pl -u" is sufficient to cause this problem, even without 
upgrading the 389 packages using yum update.  Has anyone else run into this 
problem?

Thanks,
Eric 

Eric Torgersen
Senior Systems Analyst
Information Technology Services
518-250-9725

--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Re: VLC VideoLAN

2016-02-23 Thread g 


On 02/23/16 05:22, Klaus-Peter Schrage wrote:
> Am 22.02.2016 um 19:10 schrieb Rick Stevens:
>>
>> Angelo, I can see two possible reasons VLC may not see the insertion of
>> a CD or DVD once it's running:
>>
> As far as I remember (I really don't want to rescan this thread) Angelo 
> has a much more fundamental problem with VLC: no graphical interface 
> comes up. Solutions to this have been offered, but he didn't react.
>
--
wherein a fault may be with my reply asking Angelo not to top post and
the response that followed.

therefore, this reply...

Angelo, i hope you are still following your thread.

if i in anyway caused you any grief or lack of desire to follow up,
please accept my apologies and my personal request that respond.

there is a possibility that there may be a bug and only with your
response can such be cleared up.

anytime any package does not operate properly, cause of failure needs
to be determined so that problem can be corrected.

only with your response and help can this be done.

so, i asked that you please respond.

while waiting for your response, i may have found a problem related
with movie dvd's.

thank you.


-- 
peace out.

If Bill Gates got a dime for every time Windows crashes...
 ...oh, wait. He does. THAT explains it!
-+-
in a world with out fences, who needs gates.

CentOS GNU/Linux 6.7

tc,hago.

g
.

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to open ports in firewalld

2016-02-23 Thread Tom Rivers 

On 2/23/2016 9:00 AM, Richard Shaw wrote:
Let's try the simple stuff first... Is your default zone for your 
network connection also "internal"?


That's the first thing I thought of as well.  In case you aren't sure 
which zone is your active zone, Tim, just look at the bottom right of 
the "Firewall Configuration" window.  Mine says, "Default Zone: external 
Lockdown: disabled Panic Mode: disabled."  That means if I want to 
adjust the current settings, I need to edit the "external" zone.


If you put your firewall exceptions in a zone other than the active one, 
then that might be your problem.



Tom


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to open ports in firewalld

2016-02-23 Thread James Hogarth 
On 23 February 2016 at 14:06, fedora  wrote:

> try to use the public zone, which is the zone normally activ...
>
>

Not on Fedora which uses FedoraWorkstation as the default zone.

OP you may want to include in your response for troubleshooting the output
of firewall-cmd --list-all-zones

Nothing is actually forbidden against localhost so if it is a connection on
localhost it should work ...
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to open ports in firewalld

2016-02-23 Thread fedora 

try to use the public zone, which is the zone normally activ...

suomi

On 02/23/2016 02:31 PM, Timothy Murphy wrote:

I'm trying to setup kdeconnect between my Android phone
and my Fedora-23/KDE laptop.

I see that I have to open ports 1714-1764, TCP and UDP.
I'm running firewalld on the laptop.
I give the command "firewall-config" and authenticate.
Clicking on zone "internal" I see that kde-connect is ticked.
And when I go to Ports I see that ports 1714-1764 are listed, TCP and UDP.
And all this remains set if I reboot.

But I am not able to establish a connection under kdeconnect.
Neither device sees the other.
Also "sudo nmap -sT -O localhost" on the laptop does not show
these ports to be open.

If I run "sudo systemctl stop firewalld"
then I am able to establish the connection.

It seems that these firewalld commands
to not open the specified ports, as I would expect.

Could some firewalld expert please elucidate.

Incidentall, I tried the alternative firewall service some time ago,
and that seemed to open the ports OK.


--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: Trying to open ports in firewalld

2016-02-23 Thread Richard Shaw 
On Tue, Feb 23, 2016 at 7:31 AM, Timothy Murphy  wrote:

> I see that I have to open ports 1714-1764, TCP and UDP.
> I'm running firewalld on the laptop.
> I give the command "firewall-config" and authenticate.
> Clicking on zone "internal" I see that kde-connect is ticked.
> And when I go to Ports I see that ports 1714-1764 are listed, TCP and UDP.
> And all this remains set if I reboot.


Let's try the simple stuff first... Is your default zone for your network
connection also "internal"?

Thanks,
Richard
-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

[389-users] Re: ldapsearch doesn't return the userpassword field

2016-02-23 Thread Janet Houser 

Hi William,

Thank you for looking into the issue.   I appreciate the input. Vincent 
sent along a script that should

help with modifying the current php files.

I appreciate your time and pointers on how to get things working. (Did I 
mention I hate PHP?   ;-)   )


If I manage to get the script updated and working, would you like me to 
send it along?



Cheers,

On 2/22/16 6:25 PM, William Brown wrote:

Ignore the blank message. Email fail.

On Mon, 2016-02-22 at 16:25 -0700, Janet Houser wrote:

Thanks William,

Hmmm then I'm puzzled why things are failing.

For a little more detail as to what's going on

I was asked to install squirrelmail on a system so user's could read
their mail.   I installed
the change_ldappasswd and everything appears working except for actually
changing the
password.

The system connects to my 389-ds server and a successful anonymous bind
occurs.   It
reads my password properly because if I enter it wrong, it will tell me
so.   But when I try to
change the password, I get an error saying it couldn't retrieve my old
password from the LDAP
server.

  From an old post
(http://comments.gmane.org/gmane.mail.squirrelmail.user/28454)  it claims
that this error means that the php script couldn't find the password
field in the search results.

I'm going off the assumption that because I don't see the userpassword
SSHA field when I do
a ldapsearch, this means it can't either, so it fails.

Okay, I'm thinking this is a pretty old script. See, what's trying to do is
likely to read the userPassword field into the PHP, then it will hash and strcmp
on the php side, if it's the same, it says "yeah, you are who you claim to be"
then it writes direct to the userPassword field (which we block in 389 anyway)


I'm hacking at the php script to put in print/echo statements to try to
pinpoint the problem, but
I'm thinking that it's doing a second bind to the LDAP server looking
for this field.
I was hoping to try to see if this was the case by making the field
available in a ldapsearch.


I'll turn my attention back to the php script since I'd rather not
compromise security on the
LDAP server.

Yeah, that's the risk here.

I think the best bet might be to re-write the script or look for an alternative.
You should probably be following this pattern:

ask the user for the password and username
anonymously search for the user via the username and get the dn.
Once you have the dn, do an ldap bind for dn with password.

If that FAILS returns errors about wrong passwords.
If that succeeds, you now have a connection bound as the user.
You can issue an ldap password change extended operation. There will be a php
library that does this already for you.
Once that succeeds, the new password is in place.


The reason for this:

First, you don't compromise the security of the userPassword attribute.

389 retains control of the hashing algo of the user, and it can apply password
policies to the account.


You can simulate this on a command line, with the tool:

ldappasswd

This conducts the steps above.

I hope that this helps you.



--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org

Trying to open ports in firewalld

2016-02-23 Thread Timothy Murphy 
I'm trying to setup kdeconnect between my Android phone
and my Fedora-23/KDE laptop.

I see that I have to open ports 1714-1764, TCP and UDP.
I'm running firewalld on the laptop.
I give the command "firewall-config" and authenticate.
Clicking on zone "internal" I see that kde-connect is ticked.
And when I go to Ports I see that ports 1714-1764 are listed, TCP and UDP.
And all this remains set if I reboot.

But I am not able to establish a connection under kdeconnect.
Neither device sees the other.
Also "sudo nmap -sT -O localhost" on the laptop does not show
these ports to be open.

If I run "sudo systemctl stop firewalld"
then I am able to establish the connection.

It seems that these firewalld commands
to not open the specified ports, as I would expect.

Could some firewalld expert please elucidate.

Incidentall, I tried the alternative firewall service some time ago,
and that seemed to open the ports OK.

-- 
Timothy Murphy  
gayleard /at/ eircom.net
School of Mathematics, Trinity College, Dublin


-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Re: VLC VideoLAN

2016-02-23 Thread Klaus-Peter Schrage 

Am 22.02.2016 um 19:10 schrieb Rick Stevens:


Angelo, I can see two possible reasons VLC may not see the insertion of
a CD or DVD once it's running:

As far as I remember (I really don't want to rescan this thread) Angelo 
has a much more fundamental problem with VLC: no graphical interface 
comes up. Solutions to this have been offered, but he didn't react.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

[389-users] Re: ldapsearch doesn't return the userpassword field

2016-02-23 Thread Vincent Gerris 
Hi,

Here is a script I used with 389 that worked fine for me a while back:
http://ltb-project.org/wiki/documentation/self-service-password

Greetings,
Vincent

On Tue, Feb 23, 2016 at 2:25 AM, William Brown  wrote:

> Ignore the blank message. Email fail.
>
> On Mon, 2016-02-22 at 16:25 -0700, Janet Houser wrote:
> > Thanks William,
> >
> > Hmmm then I'm puzzled why things are failing.
> >
> > For a little more detail as to what's going on
> >
> > I was asked to install squirrelmail on a system so user's could read
> > their mail.   I installed
> > the change_ldappasswd and everything appears working except for actually
> > changing the
> > password.
> >
> > The system connects to my 389-ds server and a successful anonymous bind
> > occurs.   It
> > reads my password properly because if I enter it wrong, it will tell me
> > so.   But when I try to
> > change the password, I get an error saying it couldn't retrieve my old
> > password from the LDAP
> > server.
> >
> >  From an old post
> > (http://comments.gmane.org/gmane.mail.squirrelmail.user/28454)  it
> claims
> > that this error means that the php script couldn't find the password
> > field in the search results.
> >
> > I'm going off the assumption that because I don't see the userpassword
> > SSHA field when I do
> > a ldapsearch, this means it can't either, so it fails.
>
> Okay, I'm thinking this is a pretty old script. See, what's trying to do is
> likely to read the userPassword field into the PHP, then it will hash and
> strcmp
> on the php side, if it's the same, it says "yeah, you are who you claim to
> be"
> then it writes direct to the userPassword field (which we block in 389
> anyway)
>
> >
> > I'm hacking at the php script to put in print/echo statements to try to
> > pinpoint the problem, but
> > I'm thinking that it's doing a second bind to the LDAP server looking
> > for this field.
>
> > I was hoping to try to see if this was the case by making the field
> > available in a ldapsearch.
> >
> >
> > I'll turn my attention back to the php script since I'd rather not
> > compromise security on the
> > LDAP server.
>
> Yeah, that's the risk here.
>
> I think the best bet might be to re-write the script or look for an
> alternative.
> You should probably be following this pattern:
>
> ask the user for the password and username
> anonymously search for the user via the username and get the dn.
> Once you have the dn, do an ldap bind for dn with password.
>
> If that FAILS returns errors about wrong passwords.
> If that succeeds, you now have a connection bound as the user.
> You can issue an ldap password change extended operation. There will be a
> php
> library that does this already for you.
> Once that succeeds, the new password is in place.
>
>
> The reason for this:
>
> First, you don't compromise the security of the userPassword attribute.
>
> 389 retains control of the hashing algo of the user, and it can apply
> password
> policies to the account.
>
>
> You can simulate this on a command line, with the tool:
>
> ldappasswd
>
> This conducts the steps above.
>
> I hope that this helps you.
>
>
> --
> Sincerely,
>
> William Brown
> Software Engineer
> Red Hat, Brisbane
>
>
> --
> 389 users mailing list
> 389-users@%(host_name)s
>
> http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org
>
--
389 users mailing list
389-users@%(host_name)s
http://lists.fedoraproject.org/admin/lists/389-users@lists.fedoraproject.org