LDAP and Squirrelmail Password Changer

Question

Level 2

265 points

LDAP and Squirrelmail Password Changer

Hi,
I installed the Change LDAP Password plugin for Squirrelmail.

When I try to use it with an LDAP user, I get the following error:

"LDAP search failed.
Error: No such object"

Here is part of my config file for the plugin:

–––––––
$ldap_server = 'localhost';

$ldap protocolversion = 3;

$ldap passwordfield = 'userpassword';

$ldap userfield = 'uid';

$ldap basedn = 'dc=mydomainishere,dc=org';
––––––––

also from the dir services error log:

2007-11-11 21:55:45 EST - T[0xF0103000] - Attempt #1 to initialize plug-in PasswordServer failed.
Will retry initialization at most 100 times every 1 second.

Any suggestions? Thanks!

MBP, Mac OS X (10.5.2)

Posted on Jun 1, 2008 11:48 AM

Reply

Answer 1

Jun 2, 2008 5:46 AM in response to J R3

I have not used this plugin myself (I am not using the Apple Mail server and the one I am using uses its own separate user accounts). However here are somethings to check.

1. If your Open Directory server is a different machine to your Mail server then you may need to tell this plugin the address of the Open Directory server, so instead of ldap_server = 'localhost' you would specify its host name e.g. ldap_server = 'myserver.mydomainishere.org'

2. Some LDAP operations may require you to 'bind' (i.e. login) to the LDAP server with a user account that has write permission before you can modify another account. Typically this would be to use the 'admin' account (the name of which depends on what you used when installing the server). You therefore might bind using a value something like

uid=admin,cn=users,dc=mydomainishere,dc=org

and also of course use the correct password.

3. In fact now that I think about it, your ldap basedn might actually be 'cn=users,dc=mydomainishere,dc=org'

4. Finally, due to confusing and conflicting information in Apple's documentation, some people end up configuring their Open Directory so that the host name of the Open Directory server becomes part of the search path. This approach does work but in my opinion is not the best way to do it, therefore your ldap basedn might be either 'dc=myserver,dc=mydomainishere,dc=org' or 'cn=users,dc=myserver,dc=mydomainishere,dc=org'

Reply

Answer 2

J R3 Author

Level 2

265 points

Jun 2, 2008 9:53 AM in response to John Lockwood

John,
If I intentionally screw up the ldap_server address, I actually do get a bind error (LDAP bind failed.).
So, I think the plugin is binding to the server successfully. I also get a bind/connection error if I change the LDAP version to 2 instead of what it really is, 3.

I went ahead and tried your suggestions anyway, but I continue to get the same error.
Thanks for your suggestions so far.

Reply

Answer 3

Jun 3, 2008 2:23 AM in response to J R3

There are two important user accounts on an Open Directory server (three if you include 'root').

There is the local Administrator account (which you use to login to the server), and there is the Open Directory Administrator account (which you use in Workgroup Manager for example), these are different user names.

For LDAP operations you need to use the Open Directory Administrator account. The Apple documentation uses the example short (UID) name of 'diradmin' for this account.

For Squirrelmail if you are having to enter such a user name to bind then it would be the Open Directory Administrator you should use.

You are right to use LDAP v3. One other things occurs to me, it is possible to connect using plain ordinary LDAP, or LDAP encrypted using SSL. Check your Open Directory settings to see if you have made it a requirement to use SSL, if so you made need to adjust Squirrelmail, or alter Open Directory to allow plain unencrypted LDAP access.

Reply