[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Phpgroupware-developers] phpgw password creation for ldap buggy?
From: |
Izzy Blacklock |
Subject: |
Re: [Phpgroupware-developers] phpgw password creation for ldap buggy? |
Date: |
Mon, 14 Apr 2003 00:41:55 -0600 |
User-agent: |
KMail/1.4.3 |
On Sunday 13 Apr 2003 3:53 am, Lars Kneschke(priv.) wrote:
> I'm not shure what you are doing, but ...
>
> - I use LDAP for changig passwords. It works very well.
>
> - In normal cases it is unimportant how the password is stored in the ldap
> tree. PAM and phpGroupware are doing following:
> The user enters a username and a password. The PAM/phpgw are searching the
> ldap tree for uid=username. This search is done as admin are as anonymous
> user. After the the dn is found, PAM/phpgw try to bind to the LDAP-Server
> using the just found dn(uid=test,dc=test,dc=org) and the user supplied
> password. If this succeds, the user supllied password is correct, if not,
> the password is not correct(or no dn was found). So PAM/phpgw do never read
> the password from the ldap server, they just try to authenticate.
>
> Hope this help a little bit.
Are you sure about the way PAM is authenticating? My experiance seems to
contradict this. What I've found is that if the password was created via
phpgw, I can't login to phpgw and manually trying to search ldap with the
user's credentials also fails. Here's my command and the output:
address@hidden (~)$ ldapsearch -D uid=izzyb,ou=Users,dc=edm,dc=ccs -W uid=izzyb
Enter LDAP Password:
ldap_bind: Invalid credentials
Yet I have no problem authenticating via ssh, login, imap, or any thing else
using pam for authentication. The only thing I can think of that explains
this is that pam_ldap isn't relying on being able to bind to ldap using the
users credentials as a means to authenticate. When you think about it, this
is actually slower then just taking the password from the request done as the
root dn. Of course, this requires that you either have the root dn or
credentials that will give you access to all the passwords. Using ldap to
authenticate has better potential for limiting security risks. But I
digress...
I still think my problem is somewhere in my ldap configuration. I'll have to
come back to it another time. I have other issues on my plate to worry
about. :( Thanks anyway for your help.
...izzy