Answer the question
In order to leave comments, you need to log in
What is the password change error in roundcube?
Good afternoon! There is a bunch of Openldap + dovecot + postfix + roundcube on Centos7. I configured dovecot + postfix + roundcube authorization through Openldap. I log in without problems in roundcube, outlook, mail is sent and received. But now the task arose to make it so that the password was changed in roundcube. I tried to change the password in the current configuration, I got the error "I can not save the new password. Connection error."
And then began dancing with a tambourine.
The first thing that came to mind was the lack of write permissions for service accounts in openldap, added the ability to write and see passwords - the result is the same (I changed the
type of password encryption through "phpldapadmin",
changed the values in the file (/usr/share/roundcubemail/plugins/password/config.inc.php ) "$config['password_ldap_encodage'] = 'ssha';" (there was both clear and md5 and crypt),
tried adding "default_pass_scheme = CRYPT" to the file "/etc/dovecot/dovecot-ldap.conf.ext"
tried adding "cram-md5" to the file "/etc/dovecot/conf. d/10-auth.conf" in the line "auth_mechanisms = plain login", but then the authorization breaks, maybe it tries to log in through cram-md5.
Nothing useful is written in the logs either (looked at /var/log/maillog)
Help me figure out what the problem is?!
some configs
connecting dovecot /etc/dovecot/dovecot-ldap.conf.ext
hosts = server.com:389
auth_bind = yes
dn = uid=dovecot,ou=services,dc=server,dc=com
dnpass = pass
ldap_version = 3
base = dc=server,dc=com
deref = never
scope = subtree
user_attrs = mailHomeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=PostfixBookMailAccount)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=PostfixBookMailAccount)(mail=%u))
$config['password_driver'] = 'ldap';
$config['password_confirm_current'] = true;
$config['password_minimum_length'] = 6;
$config['password_require_nonalpha'] = false;
$config['password_log'] = false;
$config['password_login_exceptions'] = null;
$config['password_hosts'] = null;
$config['password_force_save'] = false;
$config['password_force_new_user'] = false;
$config['password_db_dsn'] = '';
$config['password_query'] = 'SELECT update_passwd(%c, %u)';
$config['password_crypt_hash'] = 'md5';
$config['password_idn_ascii'] = false;
$config['password_dovecotpw_method'] = '';
$config['password_dovecotpw_with_method'] = false;
$config['password_hash_algorithm'] = 'sha1';
$config['password_hash_base64'] = false;
$config['password_blowfish_cost'] = 12;
$config['password_pop_host'] = 'localhost';
$config['password_pop_port'] = 106;
$config['password_saslpasswd_args'] = '';
$config['password_ldap_host'] = 'server.com';
$config['password_ldap_port'] = '389';
$config['password_ldap_starttls'] = false;
$config['password_ldap_version'] = '3';
$config['password_ldap_basedn'] = 'dc=server,dc=com';
$config['password_ldap_method'] = 'user';
$config['password_ldap_adminDN'] = null;
$config['password_ldap_adminPW'] = null;
$config['password_ldap_userDN_mask'] = 'mail=%login';
$config['password_ldap_searchDN'] = 'uid=roundcube,ou=services,dc=server,dc=com';
$config['password_ldap_searchPW'] = 'pass';
$config['password_ldap_search_base'] = 'dc=server,dc=com';
$config['password_ldap_search_filter'] = '(mail=%login)';
$config['password_ldap_encodage'] = 'crypt';
$config['password_ldap_pwattr'] = 'userPassword';
$config['password_ldap_force_replace'] = true;
$config['password_ldap_lchattr'] = 'shadowLastChange';
Запись 1: cn=Олег Михайлов,ou=auto LLC,dc=server,dc=com
dn:: cn=Олег Михайлов,ou=auto LLC,dc=server,dc=com
cn:: Олег Михайлов
givenname:: Олег
mail: [email protected]
objectclass: inetOrgPerson
objectclass: top
objectclass: PostfixBookMailAccount
sn:: Михайлов
userpassword: {SSHA}iLzSGGk7PALysN+Ax+fAXxN6U2agQDje
Answer the question
In order to leave comments, you need to log in
Use "ldap_simple" driver instead of "ldap".
Be sure to create a separate user in LDAP who will change passwords and specify his login-password in the config.
Set password_ldap_encodage to the same password encryption as in LDAP itself.
Wrap all traffic to the LDAP server in TLS with normal strong modern encryption algorithms and use the ldaps protocol on port 636.
Forget about Dovecot, it is not involved in changing the password. Its task is only to let the user into web mail (well, to send letters, of course).
Here is an example of a working config:
$config['password_driver'] = 'ldap_simple';
$config['password_confirm_current'] = true;
$config['password_minimum_length'] = 8;
$config['password_require_nonalpha'] = true;
$config['password_log'] = true;
$config['password_ldap_host'] = 'ldaps://ldap.example.com';
$config['password_ldap_port'] = '636';
$config['password_ldap_starttls'] = false;
$config['password_ldap_version'] = '3';
$config['password_ldap_basedn'] = 'dc=example,dc=com';
$config['password_ldap_method'] = 'user';
$config['password_ldap_searchDN'] = 'cn=RoundcubePasswordChanger,dc=example,dc=com';
$config['password_ldap_searchPW'] = '*****';
$config['password_ldap_search_base'] = 'dc=example,dc=com';
$config['password_ldap_search_filter'] = '(&(objectClass=top)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person)(accountStatus=active)(uid=%login))';
$config['password_ldap_encodage'] = 'ssha';
$config['password_ldap_pwattr'] = 'userPassword';
$config['password_ldap_force_replace'] = true;
Can you enable extended logging in Roundcube and look in the Roundcube logs? Well, it will not be superfluous to look in the openldap logs either.
it doesn’t write anything in ldap, but the roundcube option, by the way, there is a function for outputting directly to the browser, I forgot about it, thanks!
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question