Active Directory (Samba 4) password change does not work

[a23s4a]

Hello
I tried to set up the password plugin to let the users change their passwords in Active Directory (Samba 4):
Everything is done according to the README in the plugin/password directory
Here are the relevant settings from the config.inc.php:

Code: [Select]

mail root /var/www/roundcubemail/plugins/password # grep \$config config.inc.php
$config['password_driver'] = 'ldap';
$config['password_strength_driver'] = 'ldap';
$config['password_confirm_current'] = true;
$config['password_minimum_length'] = 8;
$config['password_minimum_score'] = 3;
$config['password_log'] = true;
$config['password_login_exceptions'] = null;
$config['password_hosts'] = null;
$config['password_force_save'] = false;
$config['password_force_new_user'] = false;
$config['password_algorithm'] = 'ad';
$config['password_algorithm_prefix'] = '';
$config['password_blowfish_cost'] = 12;
$config['password_disabled'] = false;
$config['password_username_format'] = '%u';
$config['password_http_client'] = [];
$config['password_ldap_host'] = 'addc.somedomain.org';
$config['password_ldap_port'] = '389';
$config['password_ldap_starttls'] = true;
$config['password_ldap_version'] = '3';
$config['password_ldap_basedn'] = 'dc=somedomain,dc=org';
$config['password_ldap_method'] = 'user';
$config['password_ldap_adminDN'] = null;
$config['password_ldap_adminPW'] = null;
$config['password_ldap_searchDN'] = 'CN=roundcube,OU=serviceaccounts,DC=somedomain,dc=org';
$config['password_ldap_searchPW'] = 'Qwerty123';
$config['password_ldap_search_base'] = 'dc=somedomain,dc=org';
$config['password_ldap_search_filter'] = '(&(objectCategory=Person)(mail=%u))';
$config['password_ldap_encodage'] = 'ad';
$config['password_ldap_pwattr'] = 'userPassword';
$config['password_ldap_force_replace'] = true;
$config['password_ldap_lchattr'] = 'PwdLastSet';
$config['password_ldap_samba_pwattr'] = '';
$config['password_ldap_samba_lchattr'] = '';
$config['password_ldap_ppolicy_cmd'] = 'change_ldap_pass.pl';
$config['password_ldap_ppolicy_uri'] = 'ldaps://addc.somedomain.org:636/';
$config['password_ldap_ppolicy_basedn'] = 'dc=somedomain,dc=org';
$config['password_ldap_ppolicy_searchDN'] = 'CN=roundcube,OU=serviceaccounts,DC=somedomain,dc=org';
$config['password_ldap_ppolicy_searchPW'] = 'Qwerty123';
$config['password_ldap_ppolicy_search_filter'] = '(&(objectCategory=Person)(mail=%u))';
$config['password_ldap_ppolicy_cafile'] = '/etc/ssl/cacert.crt';

With these settings when I try to change a user's password I see the following in the logs:

Code: [Select]

[08-Feb-2023 06:11:53 +0000]: <03idv666> PHP Error: LDAP_OPERATIONS_ERROR
Parameters:
Base: CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org
Filter: (objectClass=*)
Scope: base: LDAP_OPERATIONS_ERROR (POST /?_task=settings&_action=plugin.password-save)
[08-Feb-2023 06:11:53 +0000]: <03idv666> PHP Error: Could not fetch Subschema entry: LDAP_OPERATIONS_ERROR
Parameters:
Base: CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org
Filter: (objectClass=*)
Scope: base: LDAP_OPERATIONS_ERROR (POST /?_task=settings&_action=plugin.password-save)
[08-Feb-2023 06:11:53 UTC] PHP Fatal error:  Uncaught TypeError: in_array(): Argument #2 ($haystack) must be of type array, string given in /roundcubemail-1.5.3/vendor/pear/net_ldap2/Net/LDAP2.php:640
Stack trace:
#0 /roundcubemail-1.5.3/vendor/pear/net_ldap2/Net/LDAP2.php(640): in_array()
#1 /roundcubemail-1.5.3/vendor/pear/net_ldap2/Net/LDAP2.php(444): Net_LDAP2->startTLS()
#2 /roundcubemail-1.5.3/vendor/pear/net_ldap2/Net/LDAP2.php(339): Net_LDAP2->performConnect()
#3 /roundcubemail-1.5.3/vendor/pear/net_ldap2/Net/LDAP2.php(207): Net_LDAP2->bind()
#4 /roundcubemail-1.5.3/plugins/password/drivers/ldap.php(177): Net_LDAP2::connect()
#5 /roundcubemail-1.5.3/plugins/password/drivers/ldap.php(44): rcube_ldap_password->search_userdn()
#6 /roundcubemail-1.5.3/plugins/password/password.php(393): rcube_ldap_password->save()
#7 /roundcubemail-1.5.3/plugins/password/password.php(183): password->_save()
#8 /roundcubemail-1.5.3/program/lib/Roundcube/rcube_plugin_api.php(573): password->password_save()
#9 /roundcubemail-1.5.3/program/include/rcmail.php(248): rcube_plugin_api->exec_action()
#10 /roundcubemail-1.5.3/index.php(283): rcmail->action_handler()
#11 {main}
  thrown in /roundcubemail-1.5.3/vendor/pear/net_ldap2/Net/LDAP2.php on line 640

Here is the ldapsearch output where I tried to request data under the base "CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org" if this is relevant:

Code: [Select]

mail root ~ # ldapsearch -s sub -ZZb CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org -W -D roundcube@somedomain.org -H ldap://addc.somedomain.org
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# Aggregate, Schema, Configuration, somedomain.org
dn: CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org
objectClass: top
objectClass: subSchema
cn: Aggregate
instanceType: 4
whenCreated: 20230203043525.0Z
whenChanged: 20230203043525.0Z
uSNCreated: 2011
uSNChanged: 2011
showInAdvancedViewOnly: FALSE
name: Aggregate
objectGUID:: pKcWnwUykkOVdnz+dMMiLQ==
systemFlags: 134217728
objectCategory: CN=SubSchema,CN=Schema,CN=Configuration,dc=somedomain,dc=org
distinguishedName: CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

If I change driver to ldap_simple or ldap_exop and try to change password there is just nothing in the logs
 and there is a "connection error" message in the web ui.

Maksim Rodin

[alec]

This code is not prepared for PHP8. Maybe try with PHP7? Try $config['password_ldap_starttls'] = false;

https://github.com/pear/Net_LDAP2/issues/7

[a23s4a]

This code is not prepared for PHP8. Maybe try with PHP7? Try $config['password_ldap_starttls'] = false;

https://github.com/pear/Net_LDAP2/issues/7

Thank you. I undestood my bad choice of right php version, installed php7 and reinitialized the whole roundcube installation.
To be sure I left only php7_fpm service running.
Now when I try to change password it says:

Code: [Select]

[08-Feb-2023 19:40:01 +0300]: <afvei5dt> PHP Error: LDAP_OPERATIONS_ERROR
Parameters:
Base: CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org
Filter: (objectClass=*)
Scope: base: LDAP_OPERATIONS_ERROR (POST /?_task=settings&_action=plugin.password-save)
[08-Feb-2023 19:40:01 +0300]: <afvei5dt> PHP Error: Could not fetch Subschema entry: LDAP_OPERATIONS_ERROR
Parameters:
Base: CN=Aggregate,CN=Schema,CN=Configuration,dc=somedomain,dc=org
Filter: (objectClass=*)
Scope: base: LDAP_OPERATIONS_ERROR (POST /?_task=settings&_action=plugin.password-save)
[08-Feb-2023 19:40:01 Europe/Moscow] PHP Warning:  in_array() expects parameter 2 to be array, string given in /roundcubemail-1.5.3/vendor/pear/net_ldap2/Net/LDAP2.php on line 640
[08-Feb-2023 19:40:01 +0300]: <afvei5dt> PHP Error: Server reports that it does not support TLS.:  (POST /?_task=settings&_action=plugin.password-save)

I do not know why php says that "Server reports that it does not support TLS" because my samba 4 ad server definitely does support it which is confirmed by successful ldapsearch command with using -ZZ parameter.
When I disable starttls with this:

Code: [Select]

$config['password_ldap_starttls'] = false;

It says:

Code: [Select]

[08-Feb-2023 19:46:14 +0300]: <afvei5dt> PHP Error: Bind failed: Strong(er) authentication required: LDAP_STRONG_AUTH_REQUIRED (POST /?_task=settings&_action=plugin.password-save)

Is there anything else I could be missing and should check?

Maksim Rodin