Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
Hello,
I'm trying to find a way to let a Drupal user change his own password.
I've been to the ldap user configuration page,
i've gone to the "Provisioning from Drupal to LDAP Mapppings" settings
i've chosen "pwd : User or random" and [userpassword]
=> i always get a "Mapping rows exist for provisioning to ldap, but no ldap attribute is targetted for [dn]. One row must map to [dn]. This row will have a user token like cn=[property.name],ou=users,dc=ldap,dc=mycompany,dc=com" error check.
I am a noobie on LDAP utilisation. Is it possible to have a help?
Comment | File | Size | Author |
---|---|---|---|
#10 | 1835240.patch | 4.62 KB | johnbarclay |
#4 | LDAP_Configuration.png | 25.48 KB | tassaf |
Capture.PNG | 29.9 KB | eigil |
Comments
Comment #1
johnbarclay CreditAttribution: johnbarclay commentedFirst, go to admin/config/people/ldap/servers/test/SERVERID (the server test link)
Then type in a testing drupal username (e.g. jdoe) that has a corresponding ldap entry and submit the form
In the debugging data that follows, there will be a section that says:
LDAP Entry for jdoe (dn: CN=doe,OU=students,DC=ad,DC=blah,DC=edu)
that's a typical ldap entry for your LDAP. So the mapping would look like:
CN=[property.name],OU=students,DC=ad,DC=blah,DC=edu
I would suggest taking screen shots of the ldap server and ldap authentication screens and emailing them to you sys admin for help; they will know the specifics of your ldap.
Comment #2
tassaf CreditAttribution: tassaf commentedI am facing the same problem.. any solution for this please?
Comment #3
johnbarclay CreditAttribution: johnbarclay commentedComment #1 is the solution.
Comment #4
tassaf CreditAttribution: tassaf commentedThat is not working
the dn value appearing in usr test is:
UID=tassaf,ou=Employees,dc=sbm,dc=com,dc=sa
I tried to add those values as the [dn](see the attached picture):
cn=[property.name],ou=employees,dc=sbm,dc=com,dc=sa
uid=[property.name],ou=employees,dc=sbm,dc=com,dc=sa
cn=[user-name],ou=employees,dc=sbm,dc=com,dc=sa
uid=[user-name],ou=employees,dc=sbm,dc=com,dc=sa
But nothing worked for me
is there any problem in the configurations that I entered?
Comment #5
tassaf CreditAttribution: tassaf commentedI found that I need to use [uid]
I have tried to change a field and it was fine,, but I cannot authenticate by using the password
is it related to the encryption type? what do you think
Comment #6
johnbarclay CreditAttribution: johnbarclay commentedI have two initial possibilites on this:
1. The feature is not working correctly.
2. Your ldap does not allow the password field to be set by the service account you are using or has password requirements that are not being met.
For starters see if the password is being changed in ldap by testing without drupal. You may simply test or look for the last modified password attribute. It all depends on your ldap.
If its not, try connecting to the ldap with the service account via something like apache directory studio and see if you are able to change the password that way. If you are, its likely a bug in the module.
Comment #7
tassaf CreditAttribution: tassaf commentedYes I can change the password now.. but I cannot authenticate.. I saw the encrypted password in ldap after changing it through the module.. but that password is strange (6 Characters) which is not correct, it should start with {md5}...
I can change the password correctly in d6 version of ldap module and it's fine
So I thinks that the encryption is not correct before saving the password in ldap
Comment #8
johnbarclay CreditAttribution: johnbarclay commentedthere is no encryption on the way into ldap. Maybe that is the issue. Do you expect it to be hashed in ldap? How will other ldap clients be able to leverage the password then?
Comment #9
tassaf CreditAttribution: tassaf commentedThen this is the problem,
In ldap module v6 this line encrypts the password before saving
$pw = $_ldapdata_ldap->getOption('encrypted') ? '{md5}'. base64_encode(pack('H*', md5($value))) : $value;
Which is ldap md5 encryption
Do you know where to add this code?
Comment #10
johnbarclay CreditAttribution: johnbarclay commentedYes. Here's where the code goes:
In the user interface, there is no change except some explanation in the "Password Source Options" to enter the token as [password;md5]
Attached is a patch that deals with the coversion. Please test.
Comment #11
tassaf CreditAttribution: tassaf commentedThanks for the patch.. But it's not working
After tracing the values.. I found that the token "user-Random" is not getting the correct value for user password
Comment #12
johnbarclay CreditAttribution: johnbarclay commentedThe user's password is only available when the user has entered it. Once it gets into the database, its hashed. Durning what user event you trying to synch the password?
Comment #13
tassaf CreditAttribution: tassaf commentedYes I know that,
I am trying that during changing the password event.. I think the password should come directly from the form to ldap hash then to ldap_modify function to be changed in ldap..
From where the token is taking it's password value? I am trying to find the code responsible for that
Comment #14
johnbarclay CreditAttribution: johnbarclay commentedComment #15
tassaf CreditAttribution: tassaf commentedThan you very much for your help, It's fine now,
I need to clear the cache in order to take the correct password from the static password variable (I don't know why this is important, maybe because this is a static number)
I think session will work fine also here to store the password value (create the session with the password when changing the password, and kill this session when the data is inserted in ldap) what do you think? and which one is better
Note:
I am using password policy module, this module shows a different tab for the user to change the password, in this case the user should add this function to change the password in ldap correctly:
/**
* Implements hook_form_FORM_ID_alter(). for password_policy_password_tab
*/
function ldap_user_form_password_policy_password_tab_alter(&$form, &$form_state) {
array_unshift($form['#validate'], 'ldap_user_grab_password_validate');
}
Thanks again
Comment #16
johnbarclay CreditAttribution: johnbarclay commentedYour patch is great. Thanks for following through with this. The reason I wanted to use a static variable is to minimize the exposure of the unencrypted password. The session variable makes it exposed for longer. I'm open to other storage options, we just need to discuss the security of where the password is stored.
Comment #17
johnbarclay CreditAttribution: johnbarclay commentedThis is committed. Please keep an eye out for other modules that accept passwords for resetting them. I also added some notes about password provision module in the documentation beneath that section of the form.
Comment #18
johnbarclay CreditAttribution: johnbarclay commentedComment #19
tassaf CreditAttribution: tassaf commentedThanks a lot, I appreciate your help and support :)