Hello,

I'm trying to find a way to let a Drupal user change his own password.

I've been to the ldap user configuration page,
i've gone to the "Provisioning from Drupal to LDAP Mapppings" settings
i've chosen "pwd : User or random" and [userpassword]

=> i always get a "Mapping rows exist for provisioning to ldap, but no ldap attribute is targetted for [dn]. One row must map to [dn]. This row will have a user token like cn=[property.name],ou=users,dc=ldap,dc=mycompany,dc=com" error check.

I am a noobie on LDAP utilisation. Is it possible to have a help?

CommentFileSizeAuthor
#10 1835240.patch4.62 KBjohnbarclay
#4 LDAP_Configuration.png25.48 KBtassaf
Capture.PNG29.9 KBeigil
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

johnbarclay’s picture

First, go to admin/config/people/ldap/servers/test/SERVERID (the server test link)
Then type in a testing drupal username (e.g. jdoe) that has a corresponding ldap entry and submit the form

In the debugging data that follows, there will be a section that says:

LDAP Entry for jdoe (dn: CN=doe,OU=students,DC=ad,DC=blah,DC=edu)

that's a typical ldap entry for your LDAP. So the mapping would look like:

CN=[property.name],OU=students,DC=ad,DC=blah,DC=edu

I would suggest taking screen shots of the ldap server and ldap authentication screens and emailing them to you sys admin for help; they will know the specifics of your ldap.

tassaf’s picture

I am facing the same problem.. any solution for this please?

johnbarclay’s picture

Title: user mapping from Drupal to Ldap » LDAP User: user mapping from Drupal to Ldap, how to get DN mapped

Comment #1 is the solution.

tassaf’s picture

FileSize
25.48 KB

That is not working
the dn value appearing in usr test is:

UID=tassaf,ou=Employees,dc=sbm,dc=com,dc=sa

I tried to add those values as the [dn](see the attached picture):
cn=[property.name],ou=employees,dc=sbm,dc=com,dc=sa
uid=[property.name],ou=employees,dc=sbm,dc=com,dc=sa
cn=[user-name],ou=employees,dc=sbm,dc=com,dc=sa
uid=[user-name],ou=employees,dc=sbm,dc=com,dc=sa

But nothing worked for me

is there any problem in the configurations that I entered?

tassaf’s picture

I found that I need to use [uid]

I have tried to change a field and it was fine,, but I cannot authenticate by using the password
is it related to the encryption type? what do you think

johnbarclay’s picture

Title: LDAP User: user mapping from Drupal to Ldap, how to get DN mapped » LDAP User: provision to ldap setting password

I have two initial possibilites on this:

1. The feature is not working correctly.
2. Your ldap does not allow the password field to be set by the service account you are using or has password requirements that are not being met.

For starters see if the password is being changed in ldap by testing without drupal. You may simply test or look for the last modified password attribute. It all depends on your ldap.

If its not, try connecting to the ldap with the service account via something like apache directory studio and see if you are able to change the password that way. If you are, its likely a bug in the module.

tassaf’s picture

Yes I can change the password now.. but I cannot authenticate.. I saw the encrypted password in ldap after changing it through the module.. but that password is strange (6 Characters) which is not correct, it should start with {md5}...

I can change the password correctly in d6 version of ldap module and it's fine

So I thinks that the encryption is not correct before saving the password in ldap

johnbarclay’s picture

there is no encryption on the way into ldap. Maybe that is the issue. Do you expect it to be hashed in ldap? How will other ldap clients be able to leverage the password then?

tassaf’s picture

Then this is the problem,
In ldap module v6 this line encrypts the password before saving
$pw = $_ldapdata_ldap->getOption('encrypted') ? '{md5}'. base64_encode(pack('H*', md5($value))) : $value;

Which is ldap md5 encryption

Do you know where to add this code?

johnbarclay’s picture

FileSize
4.62 KB

Yes. Here's where the code goes:

In the user interface, there is no change except some explanation in the "Password Source Options" to enter the token as [password;md5]

Attached is a patch that deals with the coversion. Please test.

tassaf’s picture

Thanks for the patch.. But it's not working

After tracing the values.. I found that the token "user-Random" is not getting the correct value for user password

johnbarclay’s picture

The user's password is only available when the user has entered it. Once it gets into the database, its hashed. Durning what user event you trying to synch the password?

tassaf’s picture

Yes I know that,
I am trying that during changing the password event.. I think the password should come directly from the form to ldap hash then to ldap_modify function to be changed in ldap..

From where the token is taking it's password value? I am trying to find the code responsible for that

johnbarclay’s picture

tassaf’s picture

Than you very much for your help, It's fine now,

I need to clear the cache in order to take the correct password from the static password variable (I don't know why this is important, maybe because this is a static number)
I think session will work fine also here to store the password value (create the session with the password when changing the password, and kill this session when the data is inserted in ldap) what do you think? and which one is better

Note:
I am using password policy module, this module shows a different tab for the user to change the password, in this case the user should add this function to change the password in ldap correctly:

/**
* Implements hook_form_FORM_ID_alter(). for password_policy_password_tab
*/
function ldap_user_form_password_policy_password_tab_alter(&$form, &$form_state) {
array_unshift($form['#validate'], 'ldap_user_grab_password_validate');
}

Thanks again

johnbarclay’s picture

Title: LDAP User: provision to ldap setting password » LDAP User: provision to ldap setting password with password policy module
Component: Documentation » Code
Category: support » feature
Status: Active » Needs review

Your patch is great. Thanks for following through with this. The reason I wanted to use a static variable is to minimize the exposure of the unencrypted password. The session variable makes it exposed for longer. I'm open to other storage options, we just need to discuss the security of where the password is stored.

johnbarclay’s picture

This is committed. Please keep an eye out for other modules that accept passwords for resetting them. I also added some notes about password provision module in the documentation beneath that section of the form.

johnbarclay’s picture

Status: Needs review » Fixed
tassaf’s picture

Thanks a lot, I appreciate your help and support :)

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.