Author Topic: Roundcube change password with Active Directory  (Read 23536 times)

Offline svasi

  • Newbie
  • *
  • Posts: 7
Roundcube change password with Active Directory
« on: October 04, 2012, 02:39:27 PM »
Hi all.
I'm loosing my mind trying to get things done.
I'm using a W2008 AD to store mail users informations.
I'm in trouble using the change  password  plugin.

my config.inc.php (only ldap section is:)

Code: [Select]
$rcmail_config['password_ldap_host'] = '192.168.0.109';
$rcmail_config['password_ldap_port'] = '389';
$rcmail_config['password_ldap_starttls'] = false;
$rcmail_config['password_ldap_version'] = '3';
$rcmail_config['password_ldap_basedn'] = 'cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_method'] = 'admin';
$rcmail_config['password_ldap_adminDN'] = 'cn=Administrator,cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_adminPW'] = 'secretPwd';
$rcmail_config['password_ldap_userDN_mask'] = 'userPrincipalName=%login,cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_searchDN'] = null;
$rcmail_config['password_ldap_searchPW'] = null;
$rcmail_config['password_ldap_search_base'] = 'cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_search_filter'] = '(&(objectclass=user)(userPrincipalName=*))';
$rcmail_config['password_ldap_encodage'] = 'clear';
$rcmail_config['password_ldap_pwattr'] = 'userPassword';
$rcmail_config['password_ldap_force_replace'] = true;
$rcmail_config['password_ldap_lchattr'] = '';

When I try to change password syslog says:

Code: [Select]
Oct  4 20:25:25 webmail roundcube: Could not fetch entry userPrincipalName=user@domain.it,cn=Users,dc=domain,dc=it: no entry found:  (1000):

In AD the userPrincipalName contains exactly the user@domain.it

The only way to write the userPassword LDAP field is to set

Code: [Select]
$rcmail_config['password_ldap_userDN_mask'] = 'cn=User Name,cn=Users,dc=domain,dc=it';

Is there a way to change the logged in user password in AD?
I've tried to google around but with no luck

Any help is appreciated

KR
Stefano

Offline Yoni

  • Full Member
  • ***
  • Posts: 164
    • MyRoundcube
Re: Roundcube change password with Active Directory
« Reply #1 on: October 04, 2012, 09:31:53 PM »
I believe LDAP over SSL is required in order to be able to change passwords in Active Directory.  Do a research.

Offline svasi

  • Newbie
  • *
  • Posts: 7
Re: Roundcube change password with Active Directory
« Reply #2 on: October 05, 2012, 10:12:56 AM »
Hi Yoni.

I've configured AD with SSL (With CA Signed Certificate installed).
I did a test with a windows tool to read the rootDSE and it worked
So I went back to roundcube configuration setting:

Code: [Select]
$rcmail_config['password_ldap_host'] = '192.168.0.109';
$rcmail_config['password_ldap_port'] = '636';
$rcmail_config['password_ldap_starttls'] = true;
$rcmail_config['password_ldap_version'] = '3';
$rcmail_config['password_ldap_basedn'] = 'cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_method'] = 'admin';
$rcmail_config['password_ldap_adminDN'] = 'cn=Administrator,cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_adminPW'] = 'secretPwd';
$rcmail_config['password_ldap_userDN_mask'] = 'userPrincipalName=%login,cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_searchDN'] = null;
$rcmail_config['password_ldap_searchPW'] = null;
$rcmail_config['password_ldap_search_base'] = 'cn=Users,dc=domain,dc=it';
$rcmail_config['password_ldap_search_filter'] = '(&(objectclass=user)(userPrincipalName=*))';
$rcmail_config['password_ldap_encodage'] = 'crypt';
$rcmail_config['password_ldap_pwattr'] = 'userPassword';
$rcmail_config['password_ldap_force_replace'] = true;
$rcmail_config['password_ldap_lchattr'] = '';

but when I try to change password from the plugin I receive in syslog:

Code: [Select]
Oct  5 16:07:03 webmail roundcube: Unknown Net_LDAP2 Error (-1)#012Parameters:#012Base: #012Filter: (objectClass=*)#012Scope: base: Unknown Net_LDAP2 Error (-1) (-1):
Oct  5 16:07:03 webmail roundcube:Unable to fetch rootDSE entry to see if TLS is supoported: Unknown Net_LDAP2 Error (-1)#012Parameters:#012Base: #012Filter: (objectClass=*)#012Scope: base: Unknown Net_LDAP2 Error (-1): Unknown Net_LDAP2 Error (-1) (-1):

As I told you I'm able to see the rootDSE from a windows machine binding to the same AD (but the tool didn't ask me to bind with a username and password)

I've also tried with the 'user' ldap_method with no success.

Did I miss something. I'm not able to find any help over the internet, even trying....
« Last Edit: October 05, 2012, 11:52:32 AM by svasi »

Offline Yoni

  • Full Member
  • ***
  • Posts: 164
    • MyRoundcube
Re: Roundcube change password with Active Directory
« Reply #3 on: October 05, 2012, 05:37:12 PM »
Set 'use_tls'  => false,

and try again

Offline svasi

  • Newbie
  • *
  • Posts: 7
Re: Roundcube change password with Active Directory
« Reply #4 on: October 06, 2012, 06:05:59 AM »
I've tried to set it in main.inc.php because in the plugin's config.inc.php that parameter wasn't available but with no luck.
Then I've tried to add this line, just to try, in config.inc.php
Code: [Select]
$rcmail_config['use_tls'] = true;

but nothing has changed.

So I've set to false the password_ldap_starttls and, as expected, the plugin said:

Code: [Select]
Oct  6 12:00:07 webmail roundcube: Bind failed: Can't contact LDAP server: Unknown Net_LDAP2 Error (-1) (-1):

I'm seriously thinking to abandon AD for an OpenLDAP configuration  :o

Any other idea?

Thanks

Offline Yoni

  • Full Member
  • ***
  • Posts: 164
    • MyRoundcube
Re: Roundcube change password with Active Directory
« Reply #5 on: October 07, 2012, 07:45:41 PM »
Did you tried...
Code: [Select]
$rcmail_config['use_tls'] = false;without any other modification?

Offline svasi

  • Newbie
  • *
  • Posts: 7
Re: Roundcube change password with Active Directory
« Reply #6 on: October 08, 2012, 05:18:27 AM »
Hi, sorry for the late reply.

Yes I did but with no luck, even using the
Code: [Select]
$rcmail_config['use_tls'] = false;or
Code: [Select]
$rcmail_config['use_tls'] = true;the syslog answer doesn't change and remains

Code: [Select]
Oct  8 10:43:23 webmail roundcube: Unknown Net_LDAP2 Error (-1)#012Parameters:#012Base: #012Filter: (objectClass=*)#012Scope: base: Unknown Net_LDAP2 Error (-1) (-1):
Oct  8 10:43:23 webmail roundcube: Unable to fetch rootDSE entry to see if TLS is supoported: Unknown Net_LDAP2 Error (-1)#012Parameters:#012Base: #012Filter: (objectClass=*)#012Scope: base: Unknown Net_LDAP2 Error (-1): Unknown Net_LDAP2 Error (-1) (-1):



I've then tried to reinstall everything on a second machine, so I have 2 roundcube setup, and configuring LDAP (no SSL!) connection to my AD only for testing purpose using:

Code: [Select]
$rcmail_config['password_ldap_userDN_mask'] = 'cn=Name Surname,cn=Users,dc=domain,dc=it';
instead of

Code: [Select]
$rcmail_config['password_ldap_userDN_mask'] = 'userPrincipalName=%login,cn=Users,dc=domain,dc=it';

With this configuration the password pluging works and the userPassword attribute is changed.


Configuring

Code: [Select]
$rcmail_config['password_ldap_userDN_mask'] = 'userPrincipalName=%login,cn=Users,dc=domain,dc=it';
the answer on syslog is:

Code: [Select]
Oct  8 10:54:16 webmail roundcube: Could not fetch entry userPrincipalName=user@domain.it,cn=Users,dc=domain,dc=it: no entry found:  (1000):


So it seems that using a DN mask on the userPrincipalName attribute doesn't work (on my AD the userPrincipalName contains exactly the user@domain.it string).

While trying to solve the problems with SSL configuration I can accept the working solution without SSL

I've also tried to look at the code, but seems greek to me...

Any suggestion?

Thanks

Offline svasi

  • Newbie
  • *
  • Posts: 7
Re: Roundcube change password with Active Directory
« Reply #7 on: October 11, 2012, 02:50:50 PM »
Anyone can help?

Offline svasi

  • Newbie
  • *
  • Posts: 7
Re: Roundcube change password with Active Directory
« Reply #8 on: October 11, 2012, 04:24:48 PM »
Just changed something... a step away from the solution, maybe.

Set:

Code: [Select]
$rcmail_config['password_ldap_userDN_mask'] = 'cn=Users,dc=domain,dc=it';

and had on syslog:

Code: [Select]
Oct 11 22:18:48 webmail roundcube: Could not replace attribute userPassword values: Object class violation: LDAP_OBJECT_CLASS_VIOLATION (65):


Offline wqweto

  • Newbie
  • *
  • Posts: 1
Re: Roundcube change password with Active Directory
« Reply #9 on: September 21, 2013, 04:14:59 PM »
First you have to install an SSL certificate on the DC for LDAPS to use TLS. I'm using the same genuine SSL certificate that we use for our web servers (a wildcard SSL certificate for *.mydomain.com) but you can use a self-signed one (search for a KB with instructions).

On the DC start mmc.exe, add Certificates snap-in (Ctrl+M) for Service account on Local machine. Choose Active Directory Domain Service for service account to manage and import the .pfx/.p12 file in Personal folder. This imports your SSL certificate, the intermediate CA and the root CA all at once, as they will be bundled in the SSL negotiation. No DC restart is required at this point for the certficate to be automagically recognized by LDAPS. You can use `ldp.exe` to test connect to the DC w/ SSL (port 636) and w/o SSL (port 389). Just make sure the FQDN (as per SSL certificate) is in your hosts file and use this FQDN for SSL connections.

Here is my plugins/password/config.inc.php with comments on relevant entries:

Code: [Select]
// You can use 'ldap' driver here too but it depends on LDAP2 from PEAR (usually installed in /usr/share/php/Net/LDAP2)
$rcmail_config['password_driver'] = 'ldap_simple';
...
// Notice the LDAPS protocol here and FQDN as per SSL certificate. Just add www.mydomain.com in /etc/hosts if DC is located in DMZ
$rcmail_config['password_ldap_host'] = 'ldaps://www.mydomain.com';
// Not default port 389 because AD insists on using ecrypted (and deprecated) LDAPS protocol on port 636 for password modifications
$rcmail_config['password_ldap_port'] = '636';
// AD does not support LDAP w/ start tls at all (start tls is usually performed on port 389)
$rcmail_config['password_ldap_starttls'] = false;
$rcmail_config['password_ldap_version'] = '3'; // default
$rcmail_config['password_ldap_basedn'] = 'dc=MyDomain,dc=local';
// Cannot use 'user', because password's plugin 'ldap/ldap_simple' drivers are using `ldap_modify` and normal AD users don't have
// permissions to 'replace' their password, only admins can 'replace' anybody's password. Here is an explanation in `ldap_modify` user
// submitted docs: "Using this function to 'replace' an Active Directory password requires the "Reset Password" security permission as
// opposed to the "Change Password" permission (which is assigned by default to SELF)"
$rcmail_config['password_ldap_method'] = 'admin';
// MyDomain\ad_admin is in BUILTIN\Administrators group on the DC (could be in MyDomain\Domain Guest too if used only for LDAP access)
$rcmail_config['password_ldap_adminDN'] = 'ad_admin';
$rcmail_config['password_ldap_adminPW'] = 'password';
// This has to be commented out for the password_ldap_searchXxx settings to be used
//$rcmail_config['password_ldap_userDN_mask'] = ''; 
$rcmail_config['password_ldap_searchDN'] = 'ad_admin';
$rcmail_config['password_ldap_searchPW'] = 'password';
$rcmail_config['password_ldap_search_base'] = 'dc=MyDomain,dc=local';
// This searches domain users by email (on General tab on User Properties in ADUC) and list of URLs (on General tab too). Handy
// if an AD user can have several emails defined. Remove (url=%login) part if not needed.
$rcmail_config['password_ldap_search_filter'] = '(&(|(mail=%login)(url=%login))(objectClass=user)(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))';
// Custom AD "encryption" -- it just adds quotes around the string and converts to unicode (see below for code)
$rcmail_config['password_ldap_encodage'] = 'adir';
// This is not the default 'userPassword'
$rcmail_config['password_ldap_pwattr'] = 'unicodePwd';
$rcmail_config['password_ldap_force_replace'] = true; // default
$rcmail_config['password_ldap_lchattr'] = ''; // default
$rcmail_config['password_ldap_samba_pwattr'] = ''; // default
$rcmail_config['password_ldap_samba_lchattr'] = ''; // default

Here is the implementation of 'adir' password encodage in plugins/password/drivers/ldap_simple.php. Have to insert this snippet on line ~250 before case 'clear' in hash_password function:

Code: [Select]
        case 'adir':
            $crypted_password = rcube_charset_convert('"' . $password_clear . '"', RCMAIL_CHARSET, 'UTF-16LE');
            break;

Here is the same fix for the plugins/password/drivers/ldap.php (variables names are camel-cased) that will be needed if using 'ldap' driver above:

Code: [Select]
        case 'adir':
            $cryptedPassword = rcube_charset_convert('"' . $passwordClear . '"', RCMAIL_CHARSET, 'UTF-16LE');
            break;

Edit: This one got fixed already and will probably be included in 1.0-beta.

The encodage is just 'ad', no drivers source code modifications are needed anymore.

cheers,
</wqw>
« Last Edit: September 23, 2013, 06:57:13 AM by wqweto »

Offline jsilva

  • Newbie
  • *
  • Posts: 1
Re: Roundcube change password with Active Directory
« Reply #10 on: November 14, 2013, 07:25:14 AM »
First of all I want to thanks "wqweto" to is reply. This solution almost save my day.

I also want to make my contribution to the final solution, because there is a little problem who makes the code fail if you try to perform searches from the top of the directory (i.e. "dc=Mydomain,dc=local") on Windows 2003 Server Active Directory or above. it seems that you have to set the LDAP_OPT_REFERRALS option to 0.

To do so, you need to insert the following PHP code on "ldap_simple.php", line ~135, method "search_userdn", before the "ldap_search" :

ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

Also to avoid using the method 'admin' on $rcmail_config['password_ldap_method'], and use  $rcmail_config['password_ldap_method']='user', who avoids to supply privileged credentials to the script, it's possible to give the correct rights to MS AD users to "Reset Passwords".

One possible way is:

1) Run "Active Directory Users and Computers";
2) Choose the LDAP base entry you want to change (i.e. top domain) and on the context menu (right mouse button) choose "Delegate control";
3) On the Wizard add AD object "SELF";
4) Give permissions "Reset users passwords and force change at next logon".

Sorry my English and Thanks a lot again,

  Jose Silva

 



Offline ronsonblossom

  • Newbie
  • *
  • Posts: 2
Re: Roundcube change password with Active Directory
« Reply #11 on: December 24, 2013, 07:12:36 AM »
I configured password plugin to reset AD integreated roundcube user password. But when resetting password, roundcube webmail show "Successfully saved" and log file says "Password changed for user".

But it is not changed actually. What could be the issue?
Is there a way to see the query send from rouncube to AD server for resetting the password ?

My password config file hardcoded section is below:
+=======================+
$rcmail_config['password_ldap_host'] = "10.0.0.4";
$rcmail_config['password_ldap_port'] = "389";
$rcmail_config['password_ldap_starttls'] = false;
$rcmail_config['password_ldap_version'] = "3";
$rcmail_config['password_ldap_basedn'] = "OU=WebMailUsers,DC=domain2,DC=domain2,DC=loc";
$rcmail_config['password_ldap_method'] = "admin";
$rcmail_config['password_ldap_adminDN'] = "mailuser1";
$rcmail_config['password_ldap_adminPW'] = "xxx";
$rcmail_config['password_ldap_searchDN'] = 'mailuser1';
$rcmail_config['password_ldap_searchPW'] = 'xxx';
$rcmail_config['password_ldap_search_base'] = 'OU=WebMailUsers,DC=domain2,DC=domain2,DC=loc;
$rcmail_config['password_ldap_search_filter'] = '(mail=%login)';
$rcmail_config['password_ldap_encodage'] = "crypt";
$rcmail_config['password_ldap_pwattr'] = "userPassword";
$rcmail_config['password_ldap_force_replace'] = true;
$rcmail_config['password_ldap_lchattr'] = "";
$rcmail_config['password_ldap_samba_pwattr'] = '';
$rcmail_config['password_ldap_samba_lchattr'] = '';
+=======================+

Can you see anything I missed ?

Many Thanks,
Ronson