jpooser | 26 Feb 22:08 2015

centos 7 php tls/ldaps not working

using centos 7 to connect to remote openldap server vi LAM

selinux is in permissive mode

LAM host connects fine from command line using ldapwhoami and other ldap 
cli tools... ldap client config definitely ok on host, but php fails...

lam reports:

LDAP error, server says: (-1) Can't contact LDAP server

have followed all advise on this list about creating both:

/etc/ldap.conf as well as /etc/openldap/ldap.conf

specifying:
TLS_REQCERT never

pointing to certfile, certdir, etc., etc... .

a simple php test script (see below) returns:

PHP Warning:  ldap_start_tls(): Unable to start TLS: Can't contact LDAP 
server

this seems to be a more general php/ldaps issue rather than something 
specific to LAM... but any leads would be appreciated

--snip---

(Continue reading)

Elmopi, Stefano | 19 Feb 12:27 2015
Picon

Error on change password


Hi Roland,


I continue on this new email a speech already started, I try to clarify.

From administrative panel of LAM, I click on the key icon (Change password), next to the name of the user,

choose options: "Send via mail" under the section "Generate random password" and "Force password change" under

the section "Password change options" and push "Change password" button.

Arrives the email to the user, the user clicks on the link and enter the password that was sent. At this point the panel

shows only the fields for changing password,enter the new password in compliance with all the requirements

and push "Save" button. at this point, on the panel, the following messages appear:


You are reusing an old password. Please choose a different password.

The operation was stopped because of the above errors.


But if the user log out and then log in again with your new password, is able to enter safely, the password change was successful

These are the log of the LDAP server when push "Save" button:


Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 fd=12 ACCEPT from IP=172.16.149.20:54788 (IP=0.0.0.0:389)

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=0 EXT oid=1.3.6.1.4.1.1466.20037

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=0 STARTTLS

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=0 RESULT oid= err=0 text=

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 fd=12 TLS established tls_ssf=128 ssf=128

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=1 BIND dn="uid=aa0560,ou=Interni,ou=Utenze,dc=sociale,dc=it" method=128

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=1 BIND dn="uid=aa0560,ou=Interni,ou=Utenze,dc=sociale,dc=it" mech=SIMPLE ssf=0

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=1 RESULT tag=97 err=0 text=

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=2 SRCH base="uid=aa0560,ou=Interni,ou=Utenze,dc=sociale,dc=it" scope=0 deref=0 filter="(objectClass=*)"

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=2 SRCH attr=* +

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=2 SEARCH RESULT tag=101 err=50 nentries=0 text=Operations are restricted to bind/unbind/abandon/StartTLS/modify password

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=3 MOD dn="uid=aa0560,ou=Interni,ou=Utenze,dc=sociale,dc=it"

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=3 MOD attr=userPassword

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=3 RESULT tag=103 err=0 text=

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=4 SRCH base="uid=aa0560,ou=Interni,ou=Utenze,dc=sociale,dc=it" scope=0 deref=0 filter="(objectClass=*)"

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=4 SRCH attr=* +

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=5 SRCH base="uid=aa0560,ou=Interni,ou=Utenze,dc=sociale,dc=it" scope=0 deref=0 filter="(objectClass=*)"

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=5 SRCH attr=* +

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 op=6 UNBIND

Feb 19 12:11:25 ldpsoc01devpom slapd[25813]: conn=1081 fd=12 closed



Best Regards



Ing. Stefano Elmopi
Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio
Via Ostiense 131/L Corpo B, 00154 Roma

cell. 3466147165
tel.  0657060500

email:stefano.elmopi-IenwjEANACOonA0d6jMUrA@public.gmane.org



"Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003),
le informazioni contenute nella presente <at> mail sono di natura riservata e destinate
ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali,
pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere,
copiare, usare o diffondere il contenuto della presente <at> mail senza autorizzazione.
Se avete ricevuto questa <at> mail per errore, siete pregati di rispedire la stessa al mittente.
Grazie"
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
Elmopi, Stefano | 19 Feb 12:23 2015
Picon

Force Reset Password


Hi Roland,

I continue on this new email a speech already started, I try to clarify.
From the administrative panel of LAM, within the personal panel of a user to change its password.
I click on the button "Set password" and opens a panel and choose options: "Send via mail" and "Force password change"
and push "Set random password" button.
Arrives the email to the user, the user clicks on the link and enter the password that was sent
At this point I would have expected that the panel presented only the fields to change the passwod but is not so.
Instead, always from administrative panel of LAM, I click on the key icon (Change password), next to the name of the user,
choose options: "Send via mail" under the section "Generate random password" and "Force password change" under
the section "Password change options" and push "Change password" button.
Arrives the email to the user, the user clicks on the link and enter the password that was sent
At this point the panel shows only the fields for changing password, not user data.
Same processing but with two different results


Best Regards


Ing. Stefano Elmopi
Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio
Via Ostiense 131/L Corpo B, 00154 Roma

cell. 3466147165
tel.  0657060500

email:stefano.elmopi-IenwjEANACOonA0d6jMUrA@public.gmane.org



"Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003),
le informazioni contenute nella presente <at> mail sono di natura riservata e destinate
ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali,
pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere,
copiare, usare o diffondere il contenuto della presente <at> mail senza autorizzazione.
Se avete ricevuto questa <at> mail per errore, siete pregati di rispedire la stessa al mittente.
Grazie"
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
PASCAL CASSAGNES | 10 Feb 13:38 2015
Picon

Change primary user group

Hi Roland,
When I change, from Lampro, the primary group of an already created user, change the owner group is not made for his /home/$ user (lamdaemon script). This does not affect the proper functioning but it would be cleaner and more consistent.
Is it possible to consider the fix in an upcoming version of lamdaemon?
Best regards
Pascal
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
Elmopi, Stefano | 5 Feb 12:28 2015
Picon

Same Problems

Hi,

I use LDAP Account Manager Pro - 4.8 on CentOS 6.6 and in its use I encountered some problems that briefly describe
and put in attached some pictures:

- in the various panels where it appears the date, I see it in the format 04.02.2015 16:56:41 GMT, while on the server I see it
date
gio  5 feb 2015, 11.00.59, CET

and therefore with a GMT and the other with CET, which means an hour of differences in the timestamp of the operations.
In LDAP's attributes, the date is synchronized with the server. I can not find the option to also synchronize the application.


- If the main panel, I choose "Change password" (icon key) and then choose the options "Force password change" and "Send via mail" and go, everything ok.
Arrives email with password and link. I click on link and change my password, I get the error as attached file.
But if I go out from "Edit self service" and return in using the new password that gave me error, I log in quietly.
Although it was an error, the password has been changed.

- always on the change password if in the main panel go inside user's panel with edit icon and push "Set password" button and choose the options "Force password change",
then this option will not work, users will not be forced to change password.


Thanks for the support


Ing. Stefano Elmopi
Cooperativa Capodarco - Resp. Area ICT Gestione Esercizio
Via Ostiense 131/L Corpo B, 00154 Roma

cell. 3466147165
tel.  0657060500

email:stefano.elmopi-IenwjEANACOonA0d6jMUrA@public.gmane.org



"Ai sensi e per gli effetti della legge sulla tutela dei dati personali (D.lgs 196/2003),
le informazioni contenute nella presente <at> mail sono di natura riservata e destinate
ad un uso aziendale-lavorativo con esclusione di utilizzi ad uso personale; come tali,
pertanto, sono riservate esclusivamente ai destinatari sopra indicati. E' proibito leggere,
copiare, usare o diffondere il contenuto della presente <at> mail senza autorizzazione.
Se avete ricevuto questa <at> mail per errore, siete pregati di rispedire la stessa al mittente.
Grazie"
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
Michael Stevens | 3 Feb 19:04 2015

Fatal error: Call to a member function getDN() on a non-object

After moving a uid between ou’s, e.g., from “ou=people” to “ou=disabled” in tree view, our
helpdesk person gets the following error:
Fatal error: Call to a member function getDN() on a non-object in
/usr/share/ldap-account-manager/templates/3rdParty/pla/lib/HTMLTree.php on line 573

The move is executed as expected. She experiences this behavior across browsers, every time she invokes
tree view until she logs out and back in, after which functionality is normative until such time as she
migrates another ou. The interesting thing here is that I am unable to reproduce this error, and we’re
both logging in as the only account we have configured for write access. We’re both using OS X clients,
I’ve documented the same (no error) behavior using Firefox, Safari, and Chrome, and she’s
experience the sam error using Firefox and Safari.

My best guess is that there must be file-based data someplace causing this to behave similarly across
browsers, but I’ve been unable to find anything obvious either client or server side. Any insight you
can provide would be appreciated.

Aside from the above issue, LAM is working well for us, much better than our previous LDAP management gui.  


Michael Stevens
michael.stevens <at> boku.com



------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Lam-public mailing list
Lam-public <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public
the2nd | 13 Jan 16:27 2015

support for sasl authentication

hi list,

i've configured my openldap server to use sasl to authenticate users 
against OTPme (www.otpme.org).

for this its needed that the user password (userPassword) is set to the 
clear-text string "{SASL}username" (e.g. {SASL}joe).

is there an option in lam to set this? currently i use the "Tree view" 
to set the user password to this value. but thats rather complicated as 
the input field only shows asterisks.

it would be great to have an checkbox per user and globally to enable 
sasl authentication.

regards
the2nd

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
Michael Stevens | 12 Jan 19:10 2015

object class 'ldapPublicKey' requires attribute 'sshPublicKey'

Is there someplace to configure a default value for the ssh public key? Anything, even “NO KEY’ is fine,
I’d like to not have to do manual intervention in that field every time an account is created if there
isn’t a proper key value to include yet ...

Michael Stevens
michael.stevens@...

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
www.gigenet.com
Anthony Martins | 26 Dec 17:21 2014
Picon

Unable to remove the old password

Hello,

I currently experiencing an issue with LDAP Account Manager, I connect with my cn user "admin" dc "mydomain" dc "local". The problem is that I have to change the password of this one, but if I were to wish me connected to LAM, the new password works but the former still worked ... I also do not understand! Sacahnt that if I want to use a software like Apache Directory Studio, the old password does not work.
Why LAM continues accepted my old password? And how to the deleted?

Thank you

--

Anthony MARTINS
Administrateur systèmes et réseaux

Groupe Allo-Média
6 bis rue des Graviers, 92200 Neuilly-sur-Seine

Bureau: 01.84.17.67.11
Mail: a.martins-OHnPlQhFIqkAs8EywTwl9A@public.gmane.org
www.groupe-allomedia.com

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
Christian Renardy | 19 Dec 11:07 2014
Picon

Session write problem

Hello everyone,
I just installed lam on my debian machine (running deb7, PHP 5.4.4 and Apache 2.2.22, apacheds).
Trying to configure server settings, passwords etc. is not working with the following errors (php notice and warning),
sess and tmp folder a www-data owned and got 700 rights, I do see sess****** files in there eventually.

[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP Notice:  A session had already been started - ignoring session_start() in /usr/share/ldap-account-manager/templates/config/mainlogin.php on line 42, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP Stack trace:, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP   1. {main}() /usr/share/ldap-account-manager/templates/config/mainmanage.php:0, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP   2. require() /usr/share/ldap-account-manager/templates/config/mainmanage.php:54, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP   3. session_start() /usr/share/ldap-account-manager/templates/config/mainlogin.php:42, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP Warning:  Unknown: open(../../sess/sess_te8anxxxxxxxxxx, O_RDWR) failed: No such file or directory (2) in Unknown on line 0, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP Stack trace:, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP   1. {main}() /usr/share/ldap-account-manager/templates/config/mainmanage.php:0, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/usr/share/ldap-account-manager/templates/config/../../sess) in Unknown on line 0, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP Stack trace:, referer: http://example.de/lam/templates/config/mainlogin.php
[Fri Dec 19 10:56:32 2014] [error] [client xxx] PHP   1. {main}() /usr/share/ldap-account-manager/templates/config/mainmanage.php:0, referer: http://example.de/lam/templates/config/mainlogin.php

Got some idea? Looks like some kind of locking error and no check whether the session is already set.

Happy holidays,
Chris
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
Guillaume Pierre | 8 Dec 10:09 2014
Picon

Lam does not recognize legitim Nginx user

Hi

I’m new to lam, and I think it’s a great idea. I’m using a virtual machin (from Osx Virtual Box binary) running Ubuntu 14.04.1 LTS 
But I have some concerns (actually there are 3 main issues, but I’ll do 3 different requests). 

Here is the main problem I encounter :

I use Nginx ax a web server. It is using the user « nginx » to launch kid processes. Here is some infos about that : 

sudo lsof -nP -i | grep LISTEN
nginx     2997      root    6u  IPv4 134392      0t0  TCP *:80 (LISTEN)
nginx     2997      root    7u  IPv4 134393      0t0  TCP *:8080 (LISTEN)
nginx     2997      root    8u  IPv4 134394      0t0  TCP *:12345 (LISTEN)
nginx     2997      root    9u  IPv4 134395      0t0  TCP *:34567 (LISTEN)
nginx     2998     nginx    6u  IPv4 134392      0t0  TCP *:80 (LISTEN)
nginx     2998     nginx    7u  IPv4 134393      0t0  TCP *:8080 (LISTEN)
nginx     2998     nginx    8u  IPv4 134394      0t0  TCP *:12345 (LISTEN)
nginx     2998     nginx    9u  IPv4 134395      0t0  TCP *:34567 (LISTEN)

In the other hand, Lam is running but ONLY when everything is CHMOD 777 … which is not what I’m looking as you can expect.

First issue : if I omit to put 777 on var/sess/ and var/tmp/ , I just CANT access anything. Here is a screenshot :



Second issue : if I do chmod 777 both files (var/sess/ and var/tmp/ ) I get an access, but many errors : 


Actually, there is A LOT of « Upgrade Failed » 
But, I have to say that I can connect to the BerkeleyDB trough LDAP.
(I’have not been able yet to set any data… Lam give me strange alerts, and always complain about missing element. But, as I’m a very newby with LDAP, I dont know at this time if me or Lam is the fault. I’ll see later.)

Anyway, if I chmod 777 the whole Lam directory, every error suddenly disappear...

Does anyone have an idea on how I can tell Lam that the nginx user, who own Lam files, IS actually the legitim web server user?

Thank you.

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public

Gmane