D
D
Dmitry Aitkulov2015-10-19 13:48:45
System administration
Dmitry Aitkulov, 2015-10-19 13:48:45

What is the password change error in roundcube?

Good afternoon! There is a bunch of Openldap + dovecot + postfix + roundcube on Centos7. I configured dovecot + postfix + roundcube authorization through Openldap. I log in without problems in roundcube, outlook, mail is sent and received. But now the task arose to make it so that the password was changed in roundcube. I tried to change the password in the current configuration, I got the error "I can not save the new password. Connection error."
And then began dancing with a tambourine.
The first thing that came to mind was the lack of write permissions for service accounts in openldap, added the ability to write and see passwords - the result is the same (I changed the
type of password encryption through "phpldapadmin",
changed the values ​​in the file (/usr/share/roundcubemail/plugins/password/config.inc.php ) "$config['password_ldap_encodage'] = 'ssha';" (there was both clear and md5 and crypt),
tried adding "default_pass_scheme = CRYPT" to the file "/etc/dovecot/dovecot-ldap.conf.ext"
tried adding "cram-md5" to the file "/etc/dovecot/conf. d/10-auth.conf" in the line "auth_mechanisms = plain login", but then the authorization breaks, maybe it tries to log in through cram-md5.
Nothing useful is written in the logs either (looked at /var/log/maillog)
Help me figure out what the problem is?!
some configs
connecting dovecot /etc/dovecot/dovecot-ldap.conf.ext

hosts = server.com:389
auth_bind = yes
dn = uid=dovecot,ou=services,dc=server,dc=com
dnpass = pass
ldap_version = 3
base = dc=server,dc=com
deref = never
scope = subtree
user_attrs = mailHomeDirectory=home,uidNumber=uid,gidNumber=gid
user_filter = (&(objectClass=PostfixBookMailAccount)(mail=%u))
pass_attrs = mail=user,userPassword=password
pass_filter = (&(objectClass=PostfixBookMailAccount)(mail=%u))

/usr/share/roundcubemail/plugins/password/config.inc.php
$config['password_driver'] = 'ldap';
$config['password_confirm_current'] = true;
$config['password_minimum_length'] = 6;
$config['password_require_nonalpha'] = false;
$config['password_log'] = false;
$config['password_login_exceptions'] = null;
$config['password_hosts'] = null;
$config['password_force_save'] = false;
$config['password_force_new_user'] = false;
$config['password_db_dsn'] = '';
$config['password_query'] = 'SELECT update_passwd(%c, %u)';
$config['password_crypt_hash'] = 'md5';
$config['password_idn_ascii'] = false;
$config['password_dovecotpw_method'] = '';
$config['password_dovecotpw_with_method'] = false;
$config['password_hash_algorithm'] = 'sha1';
$config['password_hash_base64'] = false;
$config['password_blowfish_cost'] = 12;
$config['password_pop_host'] = 'localhost';
$config['password_pop_port'] = 106;
$config['password_saslpasswd_args'] = '';
$config['password_ldap_host'] = 'server.com';
$config['password_ldap_port'] = '389';
$config['password_ldap_starttls'] = false;
$config['password_ldap_version'] = '3';
$config['password_ldap_basedn'] = 'dc=server,dc=com';
$config['password_ldap_method'] = 'user';
$config['password_ldap_adminDN'] = null;
$config['password_ldap_adminPW'] = null;
$config['password_ldap_userDN_mask'] = 'mail=%login';
$config['password_ldap_searchDN'] = 'uid=roundcube,ou=services,dc=server,dc=com';
$config['password_ldap_searchPW'] = 'pass';
$config['password_ldap_search_base'] = 'dc=server,dc=com';
$config['password_ldap_search_filter'] = '(mail=%login)';
$config['password_ldap_encodage'] = 'crypt';
$config['password_ldap_pwattr'] = 'userPassword';
$config['password_ldap_force_replace'] = true;
$config['password_ldap_lchattr'] = 'shadowLastChange';

write to ldap
Запись 1: cn=Олег Михайлов,ou=auto LLC,dc=server,dc=com
dn:: cn=Олег Михайлов,ou=auto LLC,dc=server,dc=com
cn:: Олег Михайлов
givenname:: Олег
mail: [email protected]
objectclass: inetOrgPerson
objectclass: top
objectclass: PostfixBookMailAccount
sn:: Михайлов
userpassword: {SSHA}iLzSGGk7PALysN+Ax+fAXxN6U2agQDje

Answer the question

In order to leave comments, you need to log in

4 answer(s)
V
Vladimir, 2015-10-19
@Scarfase1989

Use "ldap_simple" driver instead of "ldap".
Be sure to create a separate user in LDAP who will change passwords and specify his login-password in the config.
Set password_ldap_encodage to the same password encryption as in LDAP itself.
Wrap all traffic to the LDAP server in TLS with normal strong modern encryption algorithms and use the ldaps protocol on port 636.
Forget about Dovecot, it is not involved in changing the password. Its task is only to let the user into web mail (well, to send letters, of course).
Here is an example of a working config:

$config['password_driver'] = 'ldap_simple';

$config['password_confirm_current'] = true;

$config['password_minimum_length'] = 8;
$config['password_require_nonalpha'] = true;

$config['password_log'] = true;

$config['password_ldap_host'] = 'ldaps://ldap.example.com';
$config['password_ldap_port'] = '636';
$config['password_ldap_starttls'] = false;
$config['password_ldap_version'] = '3';
$config['password_ldap_basedn'] = 'dc=example,dc=com';
$config['password_ldap_method'] = 'user';
$config['password_ldap_searchDN'] = 'cn=RoundcubePasswordChanger,dc=example,dc=com';
$config['password_ldap_searchPW'] = '*****';
$config['password_ldap_search_base'] = 'dc=example,dc=com';
$config['password_ldap_search_filter'] = '(&(objectClass=top)(objectClass=organizationalPerson)(objectClass=inetOrgPerson)(objectClass=person)(accountStatus=active)(uid=%login))';
$config['password_ldap_encodage'] = 'ssha';
$config['password_ldap_pwattr'] = 'userPassword';
$config['password_ldap_force_replace'] = true;

A
athacker, 2015-10-19
@athacker

Can you enable extended logging in Roundcube and look in the Roundcube logs? Well, it will not be superfluous to look in the openldap logs either.

D
Dmitry Aitkulov, 2015-10-19
@Scarfase1989

it doesn’t write anything in ldap, but the roundcube option, by the way, there is a function for outputting directly to the browser, I forgot about it, thanks!

R
radiy77, 2017-04-13
@radiy77

Good afternoon, dear ones!
Who can set up password creation for me and how much it will cost.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question