Extended Error message not shown..

[sanket97]

Using 1.5.4 version of self-service-password OS : Ubuntu 23.04.

Extended Errors like "Password is in history" does not show. it appears in log.

have set in config.inc.local.php.

$show_extended_error = true; any pointer.

Thanks

[coudot]

Please use latest version (1.6.0) and see if the problem still occurs.

[sanket97]

Tried latest version as well issue persists.

On Tue, May 21, 2024 at 5:45 PM coudot @.***> wrote:

Please use latest version (1.6.0) and see if the problem still occurs.

— Reply to this email directly, view it on GitHub https://github.com/ltb-project/self-service-password/issues/908#issuecomment-2122502038, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABD27HINTQKAHDZLFUXQGKDZDM3HNAVCNFSM6AAAAABIBJO6YWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRSGUYDEMBTHA . You are receiving this because you authored the thread.Message ID: @.***>

[davidcoutadeur]

Hello @sanket97

I tried to reproduce the problem with 1.6.0 version. (on debian 12)

The log message is:

[Wed May 22 16:52:33.812838 2024] [php:notice] [pid 38731] [client 127.0.0.1:34438] LDAP - Modify password error 19 (Password is in history of old passwords), referer: http://ssp.example.com/

But there is a clear message displayed to the user: (in a red banner)

Password is in history of old passwords (Password is in history of old passwords)

Could you provide more information on how to reproduce please? At least a complete configuration.

[sanket97]

Here is config.inc.local.php file which is used for this.

I have installed the same using apt install

Do I need to enable ldaps ? currently using ldap://

Thanks Sandeep

On Wed, May 22, 2024 at 8:40 PM davidcoutadeur @.***> wrote:

Hello @sanket97 https://github.com/sanket97

I tried to reproduce the problem with 1.6.0 version. (on debian 12)

The log message is:

[Wed May 22 16:52:33.812838 2024] [php:notice] [pid 38731] [client 127.0.0.1:34438] LDAP - Modify password error 19 (Password is in history of old passwords), referer: http://ssp.example.com/

But there is a clear message displayed to the user: (in a red banner)

Password is in history of old passwords (Password is in history of old passwords)

Could you provide more information on how to reproduce please? At least a complete configuration.

— Reply to this email directly, view it on GitHub https://github.com/ltb-project/self-service-password/issues/908#issuecomment-2125046020, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABD27HJKY6KIU2OXUNLHROLZDSYODAVCNFSM6AAAAABIBJO6YWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRVGA2DMMBSGA . You are receiving this because you were mentioned.Message ID: @.***>

[davidcoutadeur]

Hello,

Here is config.inc.local.php file which is used for this.

I don't see any attachment in the issue, or in the notification mail.

Do I need to enable ldaps ? currently using ldap://

In general: yes, it is recommended, but I don't think it's your problem here. Theoretically, the message in the log and the message in the interface should be coherent.

[sanket97]

Attachment is there will attach again. not sure why it is not there.. I have renamed it as txt.

Thanks Sandeep

On Fri, May 24, 2024 at 1:55 PM davidcoutadeur @.***> wrote:

Hello,

Here is config.inc.local.php file which is used for this.

I don't see any attachment in the issue, or in the notification mail.

Do I need to enable ldaps ? currently using ldap://

In general: yes, it is recommended, but I don't think it's your problem here. Theoretically, the message in the log and the message in the interface should be coherent.

— Reply to this email directly, view it on GitHub https://github.com/ltb-project/self-service-password/issues/908#issuecomment-2128898528, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABD27HM7O5324LD47JBRDJ3ZD32OPAVCNFSM6AAAAABIBJO6YWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRYHA4TQNJSHA . You are receiving this because you were mentioned.Message ID: @.***>

<?php

==============================================================================

LTB Self Service Password

#

Copyright (C) 2009 Clement OUDOT

Copyright (C) 2009 LTB-project.org

#

This program is free software; you can redistribute it and/or

modify it under the terms of the GNU General Public License

as published by the Free Software Foundation; either version 2

of the License, or (at your option) any later version.

#

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the

GNU General Public License for more details.

#

GPL License: http://www.gnu.org/licenses/gpl.txt

#

==============================================================================

==============================================================================

All the default values are kept here, you should not modify it but use

config.inc.local.php file instead to override the settings from here.

==============================================================================

==============================================================================

Configuration

==============================================================================

Debug mode

true: log and display any errors or warnings (use this in configuration/testing)

false: log only errors and do not display them (use this in production)

$debug = true;

LDAP

$ldap_url = "ldap://cnmaestro.cambium.local"; $ldap_starttls = false; $ldap_binddn = "cn=admin,dc=cnmaestro,dc=cambium,dc=local"; $ldap_bindpw = @.**'; // for GSSAPI authentication, comment out ldap_bind and uncomment ldap_krb5ccname lines //$ldap_krb5ccname = "/path/to/krb5cc"; $ldap_base = "dc=cnmaestro,dc=cambium,dc=local"; $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))"; $ldap_use_exop_passwd = true; $ldap_use_ppolicy_control = true;

Active Directory mode

true: use unicodePwd as password field

false: LDAPv3 standard behavior

$ad_mode = false; $ad_options=[];

Force account unlock when password is changed

$ad_options['force_unlock'] = false;

Force user change password at next login

$ad_options['force_pwd_change'] = false;

Allow user with expired password to change password

$ad_options['change_expired_password'] = false;

Samba mode

true: update sambaNTpassword and sambaPwdLastSet attributes too

false: just update the password

$samba_mode = false; $samba_options=[];

Set password min/max age in Samba attributes

$samba_options['min_age'] = 5;

$samba_options['max_age'] = 45;

$samba_options['expire_days'] = 90;

Shadow options - require shadowAccount objectClass

$shadow_options=[];

Update shadowLastChange

$shadow_options['update_shadowLastChange'] = true; $shadow_options['update_shadowExpire'] = true;

Default to -1, never expire

$shadow_options['shadow_expire_days'] = 90;

Hash mechanism for password:

SSHA, SSHA256, SSHA384, SSHA512

SHA, SHA256, SHA384, SHA512

SMD5

MD5

CRYPT

ARGON2

clear (the default)

auto (will check the hash of current password)

This option is not used with ad_mode = true

$hash = "auto";

$hash = "clear";

$hash_options=[];

Prefix to use for salt with CRYPT

$hash_options['crypt_salt_prefix'] = "$6$"; $hash_options['crypt_salt_length'] = "6";

USE rate-limiting by IP and/or by user

$use_ratelimit = false;

dir for json db's (system default tmpdir)

$ratelimit_dbdir = '/tmp';

block attempts for same login ?

$max_attempts_per_user = 2;

block attempts for same IP ?

$max_attempts_per_ip = 2;

how many time to refuse subsequent requests ?

$max_attempts_block_seconds = "60";

Header to use for client IP (HTTP_X_FORWARDED_FOR ?)

$client_ip_header = 'REMOTE_ADDR';

JSON file to filter by IP

$ratelimit_filter_by_ip_jsonfile = "/usr/share/self-service-password/conf/rrl_filter_by_ip.json";

Local password policy

This is applied before directory password policy

Minimal length

$pwd_min_length = 8;

Maximal length

$pwd_max_length = 0;

Minimal lower characters

$pwd_min_lower = 1;

Minimal upper characters

$pwd_min_upper = 1;

Minimal digit characters

$pwd_min_digit = 1;

Minimal special characters

$pwd_min_special = 0;

Definition of special characters

$pwd_special_chars = "^a-zA-Z0-9";

Forbidden characters

$pwd_forbidden_chars = "@%";

Don't reuse the same password as currently

$pwd_no_reuse = true;

Check that password is different than login

$pwd_diff_login = true;

Check new passwords differs from old one - minimum characters count

$pwd_diff_last_min_chars = 3;

Forbidden words which must not appear in the password

$pwd_forbidden_words = array('test', 'admin', 'password', 'qwerty');

Forbidden ldap fields

Respective values of the user's entry must not appear in the password

example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');

$pwd_forbidden_ldap_fields = array('cn', 'givenname', 'sn', 'uid');

Complexity: number of different class of character required

$pwd_complexity = 3;

use pwnedpasswords api v2 to securely check if the password has been on a leak

$use_pwnedpasswords = false;

Show policy constraints message:

always

never

onerror

$pwd_show_policy = "onerror";

Position of password policy constraints message:

above - the form

below - the form

$pwd_show_policy_pos = "above";

disallow use of the only special character as defined in $pwd_special_chars at the beginning and end

$pwd_no_special_at_ends = false;

Who changes the password?

Also applicable for question/answer save

user: the user itself

manager: the above binddn

$who_change_password = "manager";

$who_change_password = "user";

Show extended error message returned by LDAP directory when password is refused

$show_extended_error = true;

Standard change

Use standard change form?

$use_change = true;

SSH Key Change

Allow changing of sshPublicKey?

$change_sshkey = false;

What attribute should be changed by the changesshkey action?

$change_sshkey_attribute = "sshPublicKey";

What objectClass is required for that attribute?

$change_sshkey_objectClass = "ldapPublicKey";

Ensure the SSH Key submitted uses a type we trust

$ssh_valid_key_types = array('ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519');

Who changes the sshPublicKey attribute?

Also applicable for question/answer save

user: the user itself

manager: the above binddn

$who_change_sshkey = "user";

Notify users anytime their sshPublicKey is changed

Requires mail configuration below

$notify_on_sshkey_change = false;

Questions/answers

Use questions/answers?

$use_questions = false;

Allow to register more than one answer?

$multiple_answers = false;

Store many answers in a single string attribute

(only used if $multiple_answers = true)

$multiple_answers_one_str = false;

Answer attribute should be hidden to users!

$answer_objectClass = "extensibleObject"; $answer_attribute = "info";

Crypt answers inside the directory

$crypt_answers = false;

Extra questions (built-in questions are in lang/$lang.inc.php)

Should the built-in questions be included?

$questions_use_default = true;

$messages['questions']['ice'] = "What is your favorite ice cream flavor?";

How many questions must be answered.

If = 1: legacy behavior

If > 1:

this many questions will be included in the page forms

this many questions must be set at a time

user must answer this many correctly to reset a password

$multiple_answers must be true

at least this many possible questions must be available (there are only 2 questions built-in)

$questions_count = 1;

Should the user be able to select registered question(s) by entering only the login?

$question_populate_enable = false;

Token

Use tokens?

true (default)

false

$use_tokens = false;

Crypt tokens?

true (default)

false

$crypt_tokens = false;

Token lifetime in seconds

$token_lifetime = "3600";

Mail

LDAP mail attribute

$mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );

Get mail address directly from LDAP (only first mail entry)

and hide mail input field

default = false

$mail_address_use_ldap = false;

Who the email should come from

$mail_from = @.***"; $mail_from_name = "Self Service Password"; $mail_signature = "";

Notify users anytime their password is changed

$notify_on_change = false;

PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)

$mail_sendmailpath = '/usr/sbin/sendmail'; $mail_protocol = 'smtp'; $mail_smtp_debug = 0; $mail_debug_format = 'error_log'; $mail_smtp_host = 'localhost'; $mail_smtp_auth = false; $mail_smtp_user = ''; $mail_smtp_pass = ''; $mail_smtp_port = 25; $mail_smtp_timeout = 30; $mail_smtp_keepalive = false; $mail_smtp_secure = 'tls'; $mail_smtp_autotls = true; $mail_smtp_options = array(); $mail_contenttype = 'text/plain'; $mail_wordwrap = 0; $mail_charset = 'utf-8'; $mail_priority = 3;

SMS

Use sms

$use_sms = false;

SMS method (mail, api)

$sms_method = "mail"; $sms_api_lib = "lib/smsapi.inc.php";

GSM number attribute

$sms_attributes = array( "mobile", "pager", "ipPhone", "homephone" );

Partially hide number

$sms_partially_hide_number = true;

Send SMS mail to address. {sms_attribute} will be replaced by real sms number

$smsmailto = @.***";

Subject when sending email to SMTP to SMS provider

$smsmail_subject = "Provider code";

Message

$sms_message = "{smsresetmessage} {smstoken}";

Remove non digit characters from GSM number

$sms_sanitize_number = false;

Truncate GSM number

$sms_truncate_number = false; $sms_truncate_number_length = 10;

SMS token length

$sms_token_length = 6;

Max attempts allowed for SMS token

$max_attempts = 3;

Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer

Please change it to anything long, random and complicated, you do not have to remember it

Changing it will also invalidate all previous tokens and SMS codes

$keyphrase = "secret";

$keyphrase = "7rRy0}96#4E7#kzb%:,25X}c&66rU";

Reset URL (if behind a reverse proxy)

$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];

Display help messages

$show_help = true;

Default language

$lang = "en";

List of authorized languages. If empty, all language are allowed.

If not empty and the user's browser language setting is not in that list, language from $lang will be used.

$allowed_lang = array();

Display menu on top

$show_menu = true;

Logo

$logo = "images/ltb-logo.png";

Background image

$background_image = "images/unsplash-space.jpeg";

Path is relative to htdocs/html and the custom CSS file should be created in css/ directory. For example: "css/sample.css"

$custom_css = ""; $display_footer = true;

Where to log password resets - Make sure apache has write permission

By default, they are logged in Apache log

$reset_request_log = "/var/log/self-service-password";

Invalid characters in login

Set at least "*()&|" to prevent LDAP injection

If empty, only alphanumeric characters are accepted

$login_forbidden_chars = "*()&|";

Captcha

$use_captcha = false;

Default action

change

sendtoken

sendsms

$default_action = "change";

Rest API

$use_restapi = false;

Extra messages

They can also be defined in lang/ files

$messages['passwordchangedextramessage'] = NULL;

$messages['changehelpextramessage'] = NULL;

Pre Hook

Launch a prehook script before changing password.

Script should return with 0, to allow password change.

Any other exit code would abort password modification

$prehook = "/usr/share/self-service-password/prehook.sh";

Display prehook error

$display_prehook_error = true;

Encode passwords sent to prehook script as base64. This will prevent alteration of the passwords if set to true.

To read the actual password in the prehook script, use a base64_decode function/tool

$prehook_password_encodebase64 = false;

Ignore prehook error. This will allow to change password even if prehook script fails.

$ignore_prehook_error = true;

Post Hook

Launch a posthook script after successful password change

$posthook = "/usr/share/self-service-password/posthook.sh";

Display posthook error

$display_posthook_error = true;

Encode passwords sent to posthook script as base64. This will prevent alteration of the passwords if set to true.

To read the actual password in the posthook script, use a base64_decode function/tool

$posthook_password_encodebase64 = false;

Force setlocale if your default PHP configuration is not correct

setlocale(LC_CTYPE, "en_US.UTF-8");

Hide some messages to not disclose sensitive information

These messages will be replaced by badcredentials error

by default mailnomatch is obscured since it can disclose account existence

$obscure_failure_messages = array("mailnomatch"); $obscure_usernotfound_sendtoken = true;

HTTP Header name that may hold a login to preset in forms

$header_name_preset_login="Auth-User";

The name of an HTTP Header that may hold a reference to an extra config file to include.

$header_name_extra_config="SSP-Extra-Config";

Cache directory

$smarty_compile_dir = "/var/cache/self-service-password/templates_c"; $smarty_cache_dir = "/var/cache/self-service-password/cache";

Smarty debug mode - will popup debug information on web interface

$smarty_debug = false;

Allow to override current settings with local configuration

if (file_exists (DIR . '/config.inc.local.php')) { require_once DIR . '/config.inc.local.php'; }

Smarty

if (!defined("SMARTY")) { define("SMARTY", "/usr/share/php/smarty3/Smarty.class.php"); }

Set preset login from HTTP header $header_name_preset_login

$presetLogin = ""; if (isset($header_name_presetlogin)) { $presetLoginKey = "HTTP".strtoupper(strreplace('-','',$header_name_preset_login)); if (array_key_exists($presetLoginKey, $_SERVER)) { $presetLogin = pregreplace("/[^a-zA-Z0-9-@.]+/", "", filter_var($_SERVER[$presetLoginKey], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH)); } }

Allow to override current settings with an extra configuration file, whose reference is passed in HTTP_HEADER $header_name_extra_config

if (isset($header_name_extraconfig)) { $extraConfigKey = "HTTP".strtoupper(strreplace('-','',$header_name_extra_config)); if (array_key_exists($extraConfigKey, $_SERVER)) { $extraConfig = pregreplace("/[^a-zA-Z0-9-]+/", "", filter_var($_SERVER[$extraConfigKey], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH)); if (strlen($extraConfig) > 0 && file_exists (DIR . "/config.inc.".$extraConfig.".php")) { require_once DIR . "/config.inc.".$extraConfig.".php"; } } }

[coudot]

$ldap_use_exop_passwd = true;
$ldap_use_ppolicy_control = true;

This does not work, this is a bug in PHP (see https://bugs.php.net/bug.php?id=80820)

If you want to use ppolicy, set exop_passwd to false.

[sanket97]

Thanks will try this and update.

On Fri, 24 May 2024 at 7:22 PM, coudot @.***> wrote:

$ldap_use_exop_passwd = true; $ldap_use_ppolicy_control = true;

This does not work, this is a bug in PHP (see https://bugs.php.net/bug.php?id=80820)

If you want to use ppolicy, set exop_passwd to false.

— Reply to this email directly, view it on GitHub https://github.com/ltb-project/self-service-password/issues/908#issuecomment-2129593307, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABD27HJMUZ5ZSY4RTH3WMZ3ZD5AY3AVCNFSM6AAAAABIBJO6YWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRZGU4TGMZQG4 . You are receiving this because you were mentioned.Message ID: @.***>

[sanket97]

That worked..

Thanks

On Fri, May 24, 2024 at 8:48 PM Sandeep @.***> wrote:

Thanks will try this and update.

On Fri, 24 May 2024 at 7:22 PM, coudot @.***> wrote:

$ldap_use_exop_passwd = true; $ldap_use_ppolicy_control = true;

This does not work, this is a bug in PHP (see https://bugs.php.net/bug.php?id=80820)

If you want to use ppolicy, set exop_passwd to false.

— Reply to this email directly, view it on GitHub https://github.com/ltb-project/self-service-password/issues/908#issuecomment-2129593307, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABD27HJMUZ5ZSY4RTH3WMZ3ZD5AY3AVCNFSM6AAAAABIBJO6YWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMRZGU4TGMZQG4 . You are receiving this because you were mentioned.Message ID: @.***>