phpgroupware-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-developers] phpgw password creation for ldap buggy?

From: Izzy Blacklock
Subject: Re: [Phpgroupware-developers] phpgw password creation for ldap buggy?
Date: Mon, 14 Apr 2003 00:41:55 -0600
User-agent: KMail/1.4.3 
On Sunday 13 Apr 2003 3:53 am, Lars Kneschke(priv.) wrote:

> I'm not shure what you are doing, but ...
>
> - I use LDAP for changig passwords. It works very well.
>
> - In normal cases it is unimportant how the password is stored in the ldap
> tree. PAM and phpGroupware are doing following:
> The user enters a username and a password. The PAM/phpgw are searching the
> ldap tree for uid=username. This search is done as admin are as anonymous
> user. After the the dn is found, PAM/phpgw try to bind to the LDAP-Server
> using the just found dn(uid=test,dc=test,dc=org) and the user supplied
> password. If this succeds, the user supllied password is correct, if not,
> the password is not correct(or no dn was found). So PAM/phpgw do never read
> the password from the ldap server, they just try to authenticate.
>
> Hope this help a little bit.

Are you sure about the way PAM is authenticating?  My experiance seems to 
contradict this.  What I've found is that if the password was created via 
phpgw, I can't login to phpgw and manually trying to search ldap with the 
user's credentials also fails.  Here's my command and the output:

address@hidden (~)$ ldapsearch -D uid=izzyb,ou=Users,dc=edm,dc=ccs -W uid=izzyb
Enter LDAP Password:
ldap_bind: Invalid credentials

Yet I have no problem authenticating via ssh, login, imap, or any thing else 
using pam for authentication.  The only thing I can think of that explains 
this is that pam_ldap isn't relying on being able to bind to ldap using the 
users credentials as a means to authenticate.  When you think about it, this 
is actually slower then just taking the password from the request done as the 
root dn.  Of course, this requires that you either have the root dn or 
credentials that will give you access to all the passwords.  Using ldap to 
authenticate has better potential for limiting security risks.  But I 
digress...

I still think my problem is somewhere in my ldap configuration.  I'll have to 
come back to it another time.  I have other issues on my plate to worry 
about. :(  Thanks anyway for your help.

...izzy
reply via email to
[Prev in Thread] Current Thread [Next in Thread]