search

ltb-project / self-service-password

Web interface to change and reset password in an LDAP directory
https://self-service-password.readthedocs.io/en/latest/
GNU General Public License v3.0
1.17k stars 327 forks source link

Reset by questions not working #964

Closed IiscsiI closed 2 months ago

IiscsiI commented 3 months ago

Hello,

self-service-password version 1.6.1 / ubuntu 24.04 / apache

I configured the config.inc.php according to the documentation : https://self-service-password.readthedocs.io/en/v1.4/config_questions.html https://self-service-password.readthedocs.io/en/v1.4/config_ldap.html

$who_change_password = "manager";

Questions/answers
Use questions/answers?
$use_questions = true;

Allow to register more than one answer?
$multiple_answers = true;

Store many answers in a single string attribute
(only used if $multiple_answers = true)
$multiple_answers_one_str = false;

Answer attribute should be hidden to users!
$answer_objectClass = "user";
$answer_attribute = "comment";

Crypt answers inside the directory
$crypt_answers = true;

$keyphrase is defined

I declared a manager, put the delegate to the users objects needed.

I can reset a user password, connection to my AD works fine. I added the right to read/write in "comment" attribute and it works fine with the user (in powershell set-aduser/get-aduser with the user rights not elevated).

When i try to initialize for a user the questions i have the message : your answer have not been registered.

In the log file i have thoose lines :

_[Fri Aug 23 09:58:14.749284 2024] [php:notice] [pid 4302] [client x.x.x.x:61841] Module Zxcvbn successfully loaded, referer: https://password.xxxxxxxxxxx/index.php [Fri Aug 23 09:58:16.490557 2024] [php:notice] [pid 4305] [client x.x.x.x:61843] Module Zxcvbn successfully loaded, referer: https://password.xxxxxxxxxxx/index.php?action=resetbyquestions [Fri Aug 23 09:59:10.015279 2024] [php:notice] [pid 4303] [client x.x.x.x:61864] Module Zxcvbn successfully loaded, referer: https://password.xxxxxxxxxxx/index.php?action=setquestions [Fri Aug 23 09:59:10.025330 2024] [php:warn] [pid 4303] [client x.x.x.x:61864] PHP Warning: ldap_get_values(): Cannot get the value(s) of attribute Decoding error in /usr/share/self-service-password/htdocs/setquestions.php on line 152, referer: https://password.xxxxxxxxxxx/index.php?action=setquestions [Fri Aug 23 09:59:10.311819 2024] [php:warn] [pid 4303] [client x.x.x.x:61864] PHP Warning: ldap_modreplace(): Modify: Constraint violation in /usr/share/self-service-password/htdocs/setquestions.php on line 194, referer: https://password.xxxxxxxxxxx/index.php?action=setquestions [Fri Aug 23 09:59:10.311837 2024] [php:notice] [pid 4303] [client x.x.x.x:61864] LDAP - Modify answer (error 19 (Constraint violation), referer: https://password.xxxxxxxxxxx/index.php?action=setquestions

Many thanks for the help

coudot commented 3 months ago

I think AD does not allow multiple values in "comment" attributes, try to set $multiple_answers_one_str = true;

IiscsiI commented 3 months ago

That solved the problem.

Can you add to the documentation a tip about that?

Many thanks, have a nice day.

coudot commented 3 months ago

You can propose a modification on https://github.com/ltb-project/self-service-password/blob/master/docs/config_questions.rst

IiscsiI commented 2 months ago

Done, thanks