scalix+openldap: unable password change frm webmail

[potatoinmiri]

Dear friends,

Upon integrating with openldap, i am unable to change password from the webmail.
The following errror prompts back upon an attempt to change password from webmail:
An error occurred while changing your password.
Please contact your system administrator

I am implementing based on document http://www.scalix.com/wiki/index.php?ti ... sync_HowTo SECTION 5.2

the problem is to have a way for user to change their password proactively rather than we administrator take on the job of setting password for them from our admin interface. The webmail provides an option to do that but not sure why it isn't working.

Anyone has any idea implementing the same platform?

I am using RHEL5, scalix enterprise 11.4.3.
Openldap integration with omldapsync 13.

I supposed since the password is now in openldap, there is no way the scalix webmail can change a password at the webmail? I must somehow find some ldap webadmin interface for use to change their password?

thanks for taking time reading

[Valerion]

Are you using om_ldap or pam_ldap for authentication? AFAICR, om_ldap cannot change passwords, only authenticate, while pam_ldap can. However, to properly test this I will first need to get a test setup running again. May just be a configuration change in your pam.d files that's needed for this.

[potatoinmiri]

Hi Valerion,

Thanks for your reply.
I am using pam_ldap. My configuration files are as follow:

ual.remote:
auth required om_om2authid
auth sufficient /lib/security/pam_ldap.so ignore_unknown_user
auth sufficient om_auth use_first_pass
auth required pam_deny
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_auth preauth
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

smtpd.auth
auth required om_om2authid
auth sufficient /lib/security/pam_ldap.so ignore_unknown_user
auth sufficient om_auth use_first_pass
auth required pam_deny
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_auth preauth
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

pop3
auth required om_om2authid
auth sufficient /lib/security/pam_ldap.so ignore_unknown_user
auth sufficient om_auth use_first_pass
auth required pam_deny
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_auth preauth
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

omslapdeng
auth required om_om2authid
auth sufficient /lib/security/pam_ldap.so ignore_unknown_user
auth sufficient om_auth use_first_pass
auth required pam_deny
account sufficient om_auth
account required /lib/security/pam_ldap.so
password required om_auth preauth
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

pamcheck
auth required om_debug
account required om_debug
session required om_debug
password required om_debug
auth required om_om2authid
auth required /lib/security/pam_ldap.so
account required /lib/security/pam_ldap.so
password required om_om2authid
password required /lib/security/pam_ldap.so
session required /lib/security/pam_ldap.so

Not just those accounts created from openldap were unable to change password, even the sxadmin created by default is unable to change password from webmail now.
Once again, thanks for taking time reading my mail.!

[Valerion]

It could be a lot of things, hard to debug from this alone, and I don't have a working LDAP configuration I can lay my hands on right now (working mostly with Kerberos). I would suggest checking LDAP permissions and the ldap configuration file very carefully. Maybe put a normal system service (from a VM perhaps?) on LDAP and see if you can change the passwords form there.

[potatoinmiri]

Hi Valerion,

Thanks for your reply.
Finally i have got it sorted out. The problem is in my ldap ACL permission configuration.
Below is my ACL configuration for slapd.conf of my ldap server:

access to attrs=userPassword
by self write
by anonymous write
by * write


which is pretty dumb because its almost no security and change allowable for all users even anonymous, anyway i dont care for now at least i figure out the problem is within the openldap configuration, the password changing from webmail is working fine now.

thanks for all for helping

[potatoinmiri]

Hi ,
At the end, it didn't actually work. Something might have messed up, i was confused before, it managed to change the password without error, but then i realised the password that was changed is not the password in my openldap. It must be the scalix password itself that has been changed, meaning i got it all wrong, the change password only managed to change the password in scalix directory, no wonder i can log in with two different passwords, i was confused but realized now.

anyway, just need to make clear of my understanding of the documentation at Onldapsync HowTo says there are 4 options:
There are four options:

* Let the user login with his LDAP password. Don't let people change their password from the email client. This restricts password control to an outside application.
* Let the user login with their LDAP password, and if they opt to change their password from within the email client, the password in the LDAP directory gets changed.
* Let the user log in with either their email *or* their LDAP password. They can change their email password from the email client, but not their LDAP password. The two passwords are not synchronized; either one will work for login, but only the email password can be changed from the email client.
* Let the user log in with his email password only. The email and LDAP passwords are completely separate and unrelated (though the user could set them to the same value if he chose).


When it says "change their password from the email client" does it mean from the scalix webmail? AFAIK, there is no change password feature in email clients such as thunderbird.
What i need is to enable user only to log in with the ldap password and also when using webmail to change password it changes the ldap password rather than the scalix password. For that i followed the 2nd option above, but with that configuration, my system seems to be able to authenticate with passwords from scalix directory and external ldap directory. When using the webmail change password it changes the scalix directory password instead, this seems not resembles what described in option 2. More like it is Option 3. Anyway, i am just confused, which is the configuration option that is fitting into my requirement? i.e authenticate with openldap password only, and webmail password change to openldap password only....

thanks...