[RCU] Password Config

David Warden warden at geneseo.edu
Tue Mar 29 15:14:34 CEST 2011


I do not have experience with that plugin, but I do have experience changing Active Directory passwords over LDAP.

This post is a good place to start: http://www.evanhoffman.com/evan/2010/01/13/victory-change-active-directory-password-via-ldap-through-browser/

TL;DR: To change an AD password over LDAP, you need to:

1) connect to LDAP on AD using LDAPS (LDAP+SSL) with admin user or target user's current creds
2) Delete/add unicodePwd with UTF16-LE encoding of new password

If anything goes wrong, you should get an LDAP error that says the server refuses to make the change. Make sure the password meets AD's complexity requirements, if you have that enabled.

I don't know all the config options for the plugin but I believe you need to:
0) Make sure LDAPS is enabled in AD - lots of good blog posts in Google about this
1) Enable TLS in the plugin (I'm not 100% sure if you can STARTTLS on port 389 or if you need to SSL connect to 636.)
2) change the pwattr plugin config variable to unicodePwd
3) Try to find a way to make the plugin send UTF16-LE version of the password over the wire, AD will then encrypt what it gets.

Debugging this is going to be rough since AD will only let you modify unicodePwd over an SSL session, so packet sniffing the conversation is difficult. I know it's a pain to set up but getting a version of Wireshark with SSL decryption (you need the private key of the cert you installed in AD to enable LDAPS) will help a lot.

Hope this helps,
David Warden


On Mar 29, 2011, at 7:58 AM, Clay Smith wrote:

> I am still looking for help with this plugin if someone could point me in the correct direction, I would be most appreciative.
> 
> On Mon, Mar 21, 2011 at 11:02 PM, Clay Smith <freelancefool at gmail.com> wrote:
> I am currently having some issues trying to get the change password
> function to work. I have sanitized the config and the logs. I am hoping
> that I am not missing anything. I have RoundCube authenticating against
> Active Directory right now with no issues. I have no issues with mail
> delivery. I figured out how to get the Global Addressbook to pull from
> Active Directory, but this is beating me. I would appreciate any help with
> this plugin that I can get.
> 
> Configuration File
> 
> [root at mail ~]# less
> /var/www/webmail.$MYSITE.com/plugins/password/config.inc.php
> <?php
> 
> // Password Plugin options
> $rcmail_config['password_driver'] = 'ldap';
> 
> // Determine whether current password is required to change password.
> $rcmail_config['password_confirm_current'] = true;
> 
> // Require the new password to be a certain length.
> $rcmail_config['password_minimum_length'] = 7;
> 
> // Require the new password to contain a letter and punctuation character
> $rcmail_config['password_require_nonalpha'] = true;
> 
> // LDAP and LDAP_SIMPLE Driver options
> // -----------------------------------
> $rcmail_config['password_ldap_host'] = $MYDC';
> 
> // LDAP server port to connect to
> // Default: '389'
> $rcmail_config['password_ldap_port'] = '389';
> 
> // TLS is started after connecting
> $rcmail_config['password_ldap_starttls'] = false;
> 
> // LDAP version
> $rcmail_config['password_ldap_version'] = '3';
> 
> // LDAP base name (root directory)
> $rcmail_config['password_ldap_basedn'] = 'dc=$MYDOMAIN,dc=local';
> 
> // LDAP connection method
> $rcmail_config['password_ldap_method'] = 'user';
> 
> // LDAP Admin DN
> $rcmail_config['password_ldap_adminDN'] = null;
> 
> // LDAP Admin Password
> $rcmail_config['password_ldap_adminPW'] = null;
> 
> // LDAP user DN mask
> $rcmail_config['password_ldap_userDN_mask'] =
> 'cn=%name,dc=$MYDOMAIN,dc=local';
> 
> // LDAP search DN
> $rcmail_config['password_ldap_searchDN'] =
> 'cn=ad.bind,cn=users,dc=$MYDOMAIN,dc=local';
> 
> // LDAP search password
> $rcmail_config['password_ldap_searchPW'] = '$AD.BINDPWD';
> 
> // LDAP search base
> $rcmail_config['password_ldap_search_base'] =
> 'cn=users,dc=$MYDOMAIN,dc=local';
> 
> // LDAP search filter
> $rcmail_config['password_ldap_search_filter'] = '(cn=%name)';
> 
> // LDAP password hash type
> $rcmail_config['password_ldap_encodage'] = 'crypt';
> 
> // LDAP password attribute
> $rcmail_config['password_ldap_pwattr'] = 'userPassword';
> 
> // LDAP password force replace
> $rcmail_config['password_ldap_force_replace'] = true;
> 
> // LDAP Password Last Change Date
> $rcmail_config['password_ldap_lchattr'] = 'pwdLastSet';
> 
> // Also try to update Samba password attributes: sambaNTPassword and
> sambaPwdLastSet
> $rcmail_config['password_ldap_samba'] = false;
> 
> );
> 
> Errors
> 
> [root at mail ~]# tail -f /var/log/httpd/error_log
> [Mon Mar 21 22:30:31 2011] [error] [client x.x.x.x] Bind failed: Invalid
> credentials: LDAP_INVALID_CREDENTIALS (49): , referer:
> http://webmail.$MYSITE.com/?_task=settings&_action=plugin.password-save
> [Mon Mar 21 22:30:40 2011] [error] [client x.x.x.x] Bind failed: Invalid
> credentials: LDAP_INVALID_CREDENTIALS (49): , referer: http://webmail.
> $MYSITE.com/?_task=settings&_action=plugin.password-save
> 
> I understand that the LDAP_INVALID_CREDENTIALS is an issue with the login
> and password that I am trying to bind with. I just don't see where my
> error is. What am I missing?
> 
> Thanks,
> 
> Clay
> 
> -- 
> List info: http://lists.roundcube.net/users/
> BT/0b512945

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.roundcube.net/pipermail/users/attachments/20110329/825f24b3/attachment-0001.html>
-------------- next part --------------
-- 
List info: http://lists.roundcube.net/users/
BT/9b404e9e


More information about the users mailing list