Hi,
I can't deploy new version of ssp (1.7.3), because during password changing I get error:
ldap_create
ldap_url_parse_ext(ldaps://192.168.11.1:10636)
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.11.1:10636
ldap_new_socket: 6
ldap_prepare_socket: 6
ldap_connect_to_host: Trying 192.168.11.1:10636
ldap_pvt_connect: fd: 6 tm: 10 async: 0
ldap_ndelay_on: 6
attempting to connect:
connect errno: 115
ldap_int_poll: fd: 6 tm: 10
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
ldap_pvt_connect: 0
TLS trace: SSL_connect:before SSL initialization
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:error in SSLv3/TLS write client hello
ldap_int_tls_start: ldap_int_tls_connect needs read
ldap_int_tls_start: ld 0x560f8fd8c490 9 s 999219 us to go
ldap_int_poll: fd: 6 tm: 9
ldap_is_sock_ready: 6
ldap_ndelay_off: 6
TLS trace: SSL_connect:SSLv3/TLS write client hello
TLS trace: SSL_connect:SSLv3/TLS read server hello
TLS trace: SSL_connect:TLSv1.3 read encrypted extensions
TLS certificate verification: depth: 1, err: 0, subject: /CN=TEST CA, issuer: /CN=TEST CA
TLS certificate verification: depth: 0, err: 0, subject: /C=US/ST=Georgia/L=Savannah/O=TEST/OU=TEST/CN=openldap, issuer: /CN=TEST CA
TLS trace: SSL_connect:SSLv3/TLS read server certificate
TLS trace: SSL_connect:TLSv1.3 read server certificate verify
TLS trace: SSL_connect:SSLv3/TLS read finished
TLS trace: SSL_connect:SSLv3/TLS write change cipher spec
TLS trace: SSL_connect:SSLv3/TLS write finished
ldap_open_defconn: successful
ldap_send_server_request
ldap_result ld 0x560f8fd8c490 msgid 1
wait4msg ld 0x560f8fd8c490 msgid 1 (infinite timeout)
wait4msg continue ld 0x560f8fd8c490 msgid 1 all 1
** ld 0x560f8fd8c490 Connections:
* host: 192.168.11.1 port: 10636 (default)
* from: IP=192.168.156.5:36866
refcnt: 2 status: Connected
last used: Thu Apr 9 11:40:57 2026
** ld 0x560f8fd8c490 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x560f8fd8c490 request count 1 (abandoned 0)
** ld 0x560f8fd8c490 Response Queue:
Empty
ld 0x560f8fd8c490 response count 0
ldap_chkResponseList ld 0x560f8fd8c490 msgid 1 all 1
ldap_chkResponseList returns ld 0x560f8fd8c490 NULL
ldap_int_select
read1msg: ld 0x560f8fd8c490 msgid 1 all 1
TLS trace: SSL_connect:SSL negotiation finished successfully
TLS trace: SSL_connect:SSL negotiation finished successfully
TLS trace: SSL_connect:SSLv3/TLS read server session ticket
TLS trace: SSL_connect:SSL negotiation finished successfully
TLS trace: SSL_connect:SSL negotiation finished successfully
TLS trace: SSL_connect:SSLv3/TLS read server session ticket
ldap_find_request_by_msgid: msgid 1, lr 0x560f8fd9f0c0 lr->lr_refcnt = 1
read1msg: ld 0x560f8fd8c490 msgid 1 message type bind
read1msg: ld 0x560f8fd8c490 0 new referrals
read1msg: mark request completed, ld 0x560f8fd8c490 msgid 1
request done: ld 0x560f8fd8c490 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x560f8fd9f0c0, lr 0x560f8fd9f0c0
ldap_return_request: lrx->lr_msgid 1, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 1, msgid 1)
ldap_free_request_int: lr 0x560f8fd9f0c0 msgid 1 removed
ldap_do_free_request: asked to free lr 0x560f8fd9f0c0 msgid 1 refcnt 0
ldap_parse_result
ldap_msgfree
ldap_search_ext
put_filter: "(&(objectClass=person)(uid=jtestowy)(!(pwdAccountLockedTime=*)))"
put_filter: AND
put_filter_list "(objectClass=person)(uid=jtestowy)(!(pwdAccountLockedTime=*))"
put_filter: "(objectClass=person)"
put_filter: simple
put_simple_filter: "objectClass=person"
put_filter: "(uid=jtestowy)"
put_filter: simple
put_simple_filter: "uid=jtestowy"
put_filter: "(!(pwdAccountLockedTime=*))"
put_filter: NOT
put_filter_list "(pwdAccountLockedTime=*)"
put_filter: "(pwdAccountLockedTime=*)"
put_filter: simple
put_simple_filter: "pwdAccountLockedTime=*"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x560f8fd8c490 msgid 2
wait4msg ld 0x560f8fd8c490 msgid 2 (infinite timeout)
wait4msg continue ld 0x560f8fd8c490 msgid 2 all 1
** ld 0x560f8fd8c490 Connections:
* host: 192.168.11.1 port: 10636 (default)
* from: IP=192.168.156.5:36866
refcnt: 2 status: Connected
last used: Thu Apr 9 11:40:57 2026
** ld 0x560f8fd8c490 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x560f8fd8c490 request count 1 (abandoned 0)
** ld 0x560f8fd8c490 Response Queue:
Empty
ld 0x560f8fd8c490 response count 0
ldap_chkResponseList ld 0x560f8fd8c490 msgid 2 all 1
ldap_chkResponseList returns ld 0x560f8fd8c490 NULL
ldap_int_select
read1msg: ld 0x560f8fd8c490 msgid 2 all 1
ldap_find_request_by_msgid: msgid 2, lr 0x560f8fd9f0c0 lr->lr_refcnt = 1
read1msg: ld 0x560f8fd8c490 msgid 2 message type search-entry
ldap_return_request: lrx 0x560f8fd9f0c0, lr 0x560f8fd9f0c0
ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is still present
wait4msg continue ld 0x560f8fd8c490 msgid 2 all 1
** ld 0x560f8fd8c490 Connections:
* host: 192.168.11.1 port: 10636 (default)
* from: IP=192.168.156.5:36866
refcnt: 2 status: Connected
last used: Thu Apr 9 11:40:57 2026
** ld 0x560f8fd8c490 Outstanding Requests:
* msgid 2, origid 2, status InProgress
outstanding referrals 0, parent count 0
ld 0x560f8fd8c490 request count 1 (abandoned 0)
** ld 0x560f8fd8c490 Response Queue:
* msgid 2, type 100
ld 0x560f8fd8c490 response count 1
ldap_chkResponseList ld 0x560f8fd8c490 msgid 2 all 1
ldap_chkResponseList returns ld 0x560f8fd8c490 NULL
ldap_int_select
read1msg: ld 0x560f8fd8c490 msgid 2 all 1
ldap_find_request_by_msgid: msgid 2, lr 0x560f8fd9f0c0 lr->lr_refcnt = 1
read1msg: ld 0x560f8fd8c490 msgid 2 message type search-result
read1msg: ld 0x560f8fd8c490 0 new referrals
read1msg: mark request completed, ld 0x560f8fd8c490 msgid 2
request done: ld 0x560f8fd8c490 msgid 2
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x560f8fd9f0c0, lr 0x560f8fd9f0c0
ldap_return_request: lrx->lr_msgid 2, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 2, msgid 2)
ldap_free_request_int: lr 0x560f8fd9f0c0 msgid 2 removed
ldap_do_free_request: asked to free lr 0x560f8fd9f0c0 msgid 2 refcnt 0
adding response ld 0x560f8fd8c490 msgid 2 type 101:
ldap_parse_result
ldap_get_values_len
ldap_get_dn
ldap_first_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_get_values_len
ldap_next_attribute
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x560f8fd8c490 msgid 3
wait4msg ld 0x560f8fd8c490 msgid 3 (infinite timeout)
wait4msg continue ld 0x560f8fd8c490 msgid 3 all 1
** ld 0x560f8fd8c490 Connections:
* host: 192.168.11.1 port: 10636 (default)
* from: IP=192.168.156.5:36866
refcnt: 2 status: Connected
last used: Thu Apr 9 11:40:57 2026
** ld 0x560f8fd8c490 Outstanding Requests:
* msgid 3, origid 3, status InProgress
outstanding referrals 0, parent count 0
ld 0x560f8fd8c490 request count 1 (abandoned 0)
** ld 0x560f8fd8c490 Response Queue:
Empty
ld 0x560f8fd8c490 response count 0
ldap_chkResponseList ld 0x560f8fd8c490 msgid 3 all 1
ldap_chkResponseList returns ld 0x560f8fd8c490 NULL
ldap_int_select
read1msg: ld 0x560f8fd8c490 msgid 3 all 1
ldap_find_request_by_msgid: msgid 3, lr 0x560f8fd9f0c0 lr->lr_refcnt = 1
read1msg: ld 0x560f8fd8c490 msgid 3 message type bind
read1msg: ld 0x560f8fd8c490 0 new referrals
read1msg: mark request completed, ld 0x560f8fd8c490 msgid 3
request done: ld 0x560f8fd8c490 msgid 3
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x560f8fd9f0c0, lr 0x560f8fd9f0c0
ldap_return_request: lrx->lr_msgid 3, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 3, msgid 3)
ldap_free_request_int: lr 0x560f8fd9f0c0 msgid 3 removed
ldap_do_free_request: asked to free lr 0x560f8fd9f0c0 msgid 3 refcnt 0
ldap_parse_result
ldap_msgfree
ldap_sasl_bind_s
ldap_sasl_bind
ldap_send_initial_request
ldap_send_server_request
ldap_result ld 0x560f8fd8c490 msgid 4
wait4msg ld 0x560f8fd8c490 msgid 4 (infinite timeout)
wait4msg continue ld 0x560f8fd8c490 msgid 4 all 1
** ld 0x560f8fd8c490 Connections:
* host: 192.168.11.1 port: 10636 (default)
* from: IP=192.168.156.5:36866
refcnt: 2 status: Connected
last used: Thu Apr 9 11:40:57 2026
** ld 0x560f8fd8c490 Outstanding Requests:
* msgid 4, origid 4, status InProgress
outstanding referrals 0, parent count 0
ld 0x560f8fd8c490 request count 1 (abandoned 0)
** ld 0x560f8fd8c490 Response Queue:
Empty
ld 0x560f8fd8c490 response count 0
ldap_chkResponseList ld 0x560f8fd8c490 msgid 4 all 1
ldap_chkResponseList returns ld 0x560f8fd8c490 NULL
ldap_int_select
read1msg: ld 0x560f8fd8c490 msgid 4 all 1
ldap_find_request_by_msgid: msgid 4, lr 0x560f8fd9f0c0 lr->lr_refcnt = 1
read1msg: ld 0x560f8fd8c490 msgid 4 message type bind
read1msg: ld 0x560f8fd8c490 0 new referrals
read1msg: mark request completed, ld 0x560f8fd8c490 msgid 4
request done: ld 0x560f8fd8c490 msgid 4
res_errno: 0, res_error: <>, res_matched: <>
ldap_return_request: lrx 0x560f8fd9f0c0, lr 0x560f8fd9f0c0
ldap_return_request: lrx->lr_msgid 4, lrx->lr_refcnt is now 0, lr is still present
ldap_free_request (origid 4, msgid 4)
ldap_free_request_int: lr 0x560f8fd9f0c0 msgid 4 removed
ldap_do_free_request: asked to free lr 0x560f8fd9f0c0 msgid 4 refcnt 0
ldap_parse_result
ldap_msgfree
NOTICE: PHP message: checkEntropy: password taken directly
NOTICE: PHP message: checkEntropy: level 4 msg:
NOTICE: PHP message: PHP Fatal error: Uncaught TypeError: LDAP value must be of type string|int|bool, float given in /www/ltb-ssp/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php:101
Stack trace:
#0 /www/ltb-ssp/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php(101): ldap_mod_replace()
#1 /www/ltb-ssp/vendor/ltb-project/ltb-common/src/Ltb/Ldap.php(435): Ltb\PhpLDAP::ldap_mod_replace()
#2 /www/ltb-ssp/lib/functions.inc.php(134): Ltb\Ldap->modify_attributes()
#3 /www/ltb-ssp/htdocs/change.php(174): change_password()
#4 /www/ltb-ssp/htdocs/index.php(229): require_once('...')
#5 {main}
thrown in /www/ltb-ssp/vendor/ltb-project/ltb-common/src/Ltb/PhpLDAP.php on line 101
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
TLS trace: SSL3 alert write:warning:close notify
ldap_free_connection: actually freed
configuration as below:
<?php
#==============================================================================
# LTB Self Service Password
#
# Copyright (C) 2024 Clement OUDOT
# Copyright (C) 2024 LTB-project.org
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# GPL License: http://www.gnu.org/licenses/gpl.txt
#
#==============================================================================
#==============================================================================
# All the default values are kept here, you should not modify it but use
# config.inc.local.php file instead to override the settings from here.
#==============================================================================
#==============================================================================
# Configuration
#==============================================================================
# Debug mode
# true: log and display any errors or warnings (use this in configuration/testing)
# false: log only errors and do not display them (use this in production)
$debug = true;
# LDAP
$ldap_url = "LDAP_SCHEME://LDAP_HOST:LDAP_PORT";
$ldap_starttls = LDAP_STARTTLS;
$ldap_binddn = "cn=manager,ROOT_SUFFIX";
$ldap_bindpw = "MANAGER_PASS";
// for GSSAPI authentication, comment out ldap_bind* and uncomment ldap_krb5ccname lines
//$ldap_krb5ccname = "/path/to/krb5cc";
$ldap_base = "ou=LDAP_OU,ROOT_SUFFIX";
$ldap_login_attribute = "uid";
$ldap_fullname_attribute = "cn";
$ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login})(!(pwdAccountLockedTime=*)))";
$ldap_scope = "one"; # possible values: sub, one, base
$ldap_use_exop_passwd = false;
$ldap_use_ppolicy_control = false;
$ldap_network_timeout = 10;
$ldap_page_size = 0;
# Active Directory mode
# true: use unicodePwd as password field
# false: LDAPv3 standard behavior
$ad_mode = false;
$ad_options=[];
# Force account unlock when password is changed
$ad_options['force_unlock'] = false;
# Force user change password at next login
$ad_options['force_pwd_change'] = false;
# Allow user with expired password to change password
$ad_options['change_expired_password'] = false;
# Samba mode
# true: update sambaNTpassword and sambaPwdLastSet attributes too
# false: just update the password
$samba_mode = true;
$samba_options=[];
# Set password min/max age in Samba attributes
$samba_options['min_age'] = 1;
$samba_options['max_age'] = 90;
#$samba_options['expire_days'] = 90;
# Shadow options - require shadowAccount objectClass
$shadow_options=[];
# Update shadowLastChange
$shadow_options['update_shadowLastChange'] = true;
$shadow_options['update_shadowExpire'] = true;
# Default to -1, never expire
$shadow_options['shadow_expire_days'] = 90;
# Hash mechanism for password:
# SSHA, SSHA256, SSHA384, SSHA512
# SHA, SHA256, SHA384, SHA512
# SMD5
# MD5
# CRYPT
# ARGON2
# clear (the default)
# auto (will check the hash of current password)
# This option is not used with when $ldap_type = activedirectory
$hash = "clear";
$hash_options=[];
# Prefix to use for salt with CRYPT
$hash_options['crypt_salt_prefix'] = "$6$";
$hash_options['crypt_salt_length'] = "6";
# USE rate-limiting by IP and/or by user
$use_ratelimit = false;
# dir for json db's (system default tmpdir)
#$ratelimit_dbdir = '/tmp';
# block attempts for same login ?
$max_attempts_per_user = 2;
# block attempts for same IP ?
$max_attempts_per_ip = 2;
# how many time to refuse subsequent requests ?
$max_attempts_block_seconds = "60";
# Header to use for client IP (HTTP_X_FORWARDED_FOR ?)
$client_ip_header = 'REMOTE_ADDR';
# JSON file to filter by IP
#$ratelimit_filter_by_ip_jsonfile = "/usr/share/self-service-password/conf/rrl_filter_by_ip.json";
# Local password policy
# This is applied before directory password policy
# Minimal length
$pwd_min_length = 15;
# Maximal length
$pwd_max_length = 0;
# Minimal lower characters
$pwd_min_lower = 1;
# Minimal upper characters
$pwd_min_upper = 1;
# Minimal digit characters
$pwd_min_digit = 1;
# Minimal special characters
$pwd_min_special = 1;
# Definition of special characters
$pwd_special_chars = "^a-zA-Z0-9";
# Forbidden characters
#$pwd_forbidden_chars = "@%";
# Don't reuse the same password as currently
$pwd_no_reuse = true;
# Check that password is different than login
$pwd_diff_login = true;
# Check new passwords differs from old one - minimum characters count
$pwd_diff_last_min_chars = 0;
# Forbidden words which must not appear in the password
$pwd_forbidden_words = array();
# Forbidden ldap fields
# Respective values of the user's entry must not appear in the password
# example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail');
$pwd_forbidden_ldap_fields = array('uid','mail','cn','givenName','sn');
# Complexity: number of different class of character required
$pwd_complexity = 4;
# use pwnedpasswords api v2 to securely check if the password has been on a leak
$use_pwnedpasswords = false;
# show password entropy bar (require php zxcvbn module)
$pwd_display_entropy = true;
# enforce password entropy check
$pwd_check_entropy = true;
# minimum entropy level required (when $pwd_check_entropy enabled)
$pwd_min_entropy = 3;
# Show policy constraints message:
# always
# never
# onerror
$pwd_show_policy = "always";
# Position of password policy constraints message:
# above - the form
# below - the form
$pwd_show_policy_pos = "above";
# disallow use of the only special character as defined in `$pwd_special_chars` at the beginning and end
$pwd_no_special_at_ends = false;
# Who changes the password?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_password = "manager";
# Show extended error message returned by LDAP directory when password is refused
$show_extended_error = true;
## Standard change
# Use standard change form?
$use_change = true;
## SSH Key Change
# Allow changing of sshPublicKey?
$change_sshkey = false;
# What attribute should be changed by the changesshkey action?
$change_sshkey_attribute = "sshPublicKey";
# What objectClass is required for that attribute?
$change_sshkey_objectClass = "ldapPublicKey";
# Ensure the SSH Key submitted uses a type we trust
$ssh_valid_key_types = array('ssh-rsa', 'ssh-dss', 'ecdsa-sha2-nistp256', 'ecdsa-sha2-nistp384', 'ecdsa-sha2-nistp521', 'ssh-ed25519');
# Who changes the sshPublicKey attribute?
# Also applicable for question/answer save
# user: the user itself
# manager: the above binddn
$who_change_sshkey = "user";
# Notify users anytime their sshPublicKey is changed
## Requires mail configuration below
$notify_on_sshkey_change = false;
## Questions/answers
# Use questions/answers?
$use_questions = false;
# Allow to register more than one answer?
$multiple_answers = false;
# Store many answers in a single string attribute
# (only used if $multiple_answers = true)
$multiple_answers_one_str = false;
# Answer attribute should be hidden to users!
$answer_objectClass = "extensibleObject";
$answer_attribute = "info";
# Crypt answers inside the directory
$crypt_answers = true;
# Extra questions (built-in questions are in lang/$lang.inc.php)
# Should the built-in questions be included?
$questions_use_default = true;
#$messages['questions']['ice'] = "What is your favorite ice cream flavor?";
# How many questions must be answered.
# If = 1: legacy behavior
# If > 1:
# this many questions will be included in the page forms
# this many questions must be set at a time
# user must answer this many correctly to reset a password
# $multiple_answers must be true
# at least this many possible questions must be available (there are only 2 questions built-in)
$questions_count = 1;
# Should the user be able to select registered question(s) by entering only the login?
$question_populate_enable = false;
## Token
# Use tokens?
# true (default)
# false
$use_tokens = true;
# Crypt tokens?
# true (default)
# false
$crypt_tokens = true;
# Token lifetime in seconds
$token_lifetime = "7200";
## File cache parameters
# cache type: File or Redis
$cache_type = "File";
# cache namespace: cache entries are grouped in this directory
$cache_namespace = "sspCache";
# cache directory: cache entries would be created in this extra
# directory inside namespace
$cache_directory = null;
# default lifetime for all cached entry
# not really usefull for now as each cache entry has a defined expiration
# (see cache_token_expiration and cache_form_expiration)
$cache_default_lifetime = 0;
## Redis cache parameters
# cache type: File or Redis
#$cache_type = "Redis";
# Data Source Name (DSN) for accessing to Redis server
# See https://symfony.com/doc/current/components/cache/adapters/redis_adapter.html
#$cache_redis_url = "redis:user:password@?host[redis1:6379]&timeout=5&dbindex=0";
# cache namespace: cache entries are prefixed by this namespace
#$cache_namespace = "sspCache";
# default lifetime for all cached entries
# not really usefull for now as each cache entry has a defined expiration
# (see cache_token_expiration and cache_form_expiration)
#$cache_default_lifetime = 0;
## General cache parameters
# $cache_token_expiration: integer, duration in seconds of cached objects
# each time a token is involved
# (for example when sending a token by sms or by mail)
# it is recommended to set a value >= $token_lifetime
$cache_token_expiration = 7200;
# $cache_form_expiration: integer, duration in seconds of cached objects
# at some steps when a user has to validate a form
# (for example when validating the email address before we send the mail)
# it is recommended to set a value high enough for a user to fill a form
$cache_form_expiration = 120;
# Reset URL (mandatory)
#$reset_url = "http://ssp.example.com/";
# If inside a virtual host
#$reset_url = ($_SERVER['HTTPS'] ? "https" : "http") . "://" . $_SERVER['SERVER_NAME'] . $_SERVER['SCRIPT_NAME'];
# If behind a reverse proxy with a virtual host
#$reset_url = $_SERVER['HTTP_X_FORWARDED_PROTO'] . "://" . $_SERVER['HTTP_X_FORWARDED_HOST'] . $_SERVER['SCRIPT_NAME'];
$reset_url = ($_SERVER['HTTPS'] ? "https" : "http") . "://" . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'];
## Mail
# LDAP mail attribute
$mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" );
# Get mail address directly from LDAP (only first mail entry)
# and hide mail input field
# default = false
$mail_address_use_ldap = false;
# Who the email should come from
$mail_from = "EMAIL_FROM";
$mail_from_name = "Ldap Self Password Service";
$mail_signature = "\n\nDevOps Team";
# Notify users anytime their password is changed
$notify_on_change = false;
# PHPMailer configuration (see https://github.com/PHPMailer/PHPMailer)
$mail_sendmailpath = '/usr/sbin/sendmail';
$mail_protocol = 'smtp';
$mail_smtp_debug = 0;
$mail_debug_format = 'html';
$mail_smtp_host = 'EMAIL_HOST';
$mail_smtp_auth = true;
$mail_smtp_user = 'EMAIL_USER';
$mail_smtp_pass = 'EMAIL_PASS';
$mail_smtp_port = EMAIL_PORT;
$mail_smtp_timeout = 30;
$mail_smtp_keepalive = false;
$mail_smtp_secure = 'EMAIL_SECURE';
$mail_smtp_autotls = true;
$mail_smtp_options = array();
$mail_contenttype = 'text/plain';
$mail_wordwrap = 0;
$mail_charset = 'utf-8';
$mail_priority = 3;
## SMS
# Use sms
$use_sms = false;
# Get telephone number directly from LDAP (only first number entry)
# and hide telephone number input field
# default = false
$sms_use_ldap = false;
# SMS method (mail, api)
$sms_method = "mail";
# path to SMS library to use
# currently, 3 libraries are bundled:
# - lib/smsapi-signal-cli.inc.php
# - lib/smsapi-twilio.inc.php
# - lib/smsovh/smsapi-ovh.inc.php
# The last one needs php-ovh-sms dependency, do `composer update` in lib/smsovh
# you can also write your own library
$sms_api_lib = "";
# GSM number attribute
$sms_attributes = array( "mobile", "pager", "ipPhone", "homephone" );
# Partially hide number
$sms_partially_hide_number = true;
# Send SMS mail to address. {sms_attribute} will be replaced by real sms number
$smsmailto = "{sms_attribute}@service.provider.com";
# Subject when sending email to SMTP to SMS provider
$smsmail_subject = "Provider code";
# Message
$sms_message = "{smsresetmessage} {smstoken}";
# Remove non digit characters from GSM number
$sms_sanitize_number = false;
# Truncate GSM number
$sms_truncate_number = false;
$sms_truncate_number_length = 10;
# SMS token length
$sms_token_length = 6;
# Max attempts allowed for SMS token
$sms_max_attempts_token = 3;
# Encryption, decryption keyphrase, required if $use_tokens = true and $crypt_tokens = true, or $use_sms, or $crypt_answer
# Please change it to anything long, random and complicated, you do not have to remember it
# Changing it will also invalidate all previous tokens and SMS codes
$keyphrase = "secret";
# Use attributes update page
$use_attributes = false;
#$attribute_mail = "mail";
#$attribute_phone = "mobile";
#$who_change_attributes = "manager";
# Display help messages
$show_help = true;
# Default language
$lang = "en";
# List of authorized languages. If empty, all language are allowed.
# If not empty and the user's browser language setting is not in that list, language from $lang will be used.
$allowed_lang = array();
# Display menu on top
$show_menu = true;
# Logo
$logo = "images/ltb-logo.png";
# Background image
$background_image = "images/unsplash-sky.jpeg";
# Path is relative to htdocs/html and the custom CSS file should be created in css/ directory. For example: "css/sample.css"
$custom_css = "";
$display_footer = false;
# Customized template directory: to ovverride some templates files
$custom_tpl_dir = "";
# Where to log password resets - Make sure apache has write permission
# By default, they are logged in Apache log
$reset_request_log = "/var/log/nginx/self-service-password.log";
# Invalid characters in login
# Set at least "*()&|" to prevent LDAP injection
# If empty, only alphanumeric characters are accepted
$login_forbidden_chars = "*()&|";
## Captcha
$use_captcha = false;
$captcha_class = "InternalCaptcha";
#$captcha_class = "FriendlyCaptcha";
#$friendlycaptcha_apiurl = "https://api.friendlycaptcha.com/api/v1/siteverify";
#$friendlycaptcha_sitekey = "secret";
#$friendlycaptcha_secret = "secret";
#$captcha_class = "ReCaptcha";
#$recaptcha_url = "https://www.google.com/recaptcha/api/siteverify";
#$recaptcha_sitekey = "sitekey";
#$recaptcha_secretkey = "secretkey";
#$recaptcha_minscore = 0.5;
## Default action
# change
# sendtoken
# sendsms
# changecustompwdfield
$default_action = "change";
## default page of custom password field to display
#$default_custompwdindex = 0;
## Rest API
$use_restapi = false;
## Extra messages
# They can also be defined in lang/ files
$messages['passwordchangedextramessage'] = "Congratulations!";
$messages['changehelpextramessage'] = "Contact TEST team if you are lost...";
# Audit
$audit_log_file = "/var/log/nginx/self-service-password-audit.log";
## Pre Hook
# Launch a prehook script before changing password.
# Script should return with 0, to allow password change.
# Any other exit code would abort password modification
#$prehook = "/usr/share/self-service-password/prehook.sh";
# Display prehook error
#$display_prehook_error = true;
# Encode passwords sent to prehook script as base64. This will prevent alteration of the passwords if set to true.
# To read the actual password in the prehook script, use a base64_decode function/tool
#$prehook_password_encodebase64 = false;
# Ignore prehook error. This will allow to change password even if prehook script fails.
#$ignore_prehook_error = true;
## Post Hook
# Launch a posthook script after successful password change
$posthook = "/posthook.sh";
# Display posthook error
#$display_posthook_error = true;
# Encode passwords sent to posthook script as base64. This will prevent alteration of the passwords if set to true.
# To read the actual password in the posthook script, use a base64_decode function/tool
$posthook_password_encodebase64 = true;
# Force setlocale if your default PHP configuration is not correct
#setlocale(LC_CTYPE, "en_US.UTF-8");
# Hide some messages to not disclose sensitive information
$obscure_usernotfound_sendtoken = true;
$obscure_notfound_sendsms = true;
# HTTP Header name that may hold a login to preset in forms
#$header_name_preset_login="Auth-User";
# The name of an HTTP Header that may hold a reference to an extra config file to include.
#$header_name_extra_config="SSP-Extra-Config";
# Cache directory
#$smarty_compile_dir = "/var/cache/self-service-password/templates_c";
#$smarty_cache_dir = "/var/cache/self-service-password/cache";
# Smarty debug mode - will popup debug information on web interface
# and add many smarty debug messages in error logs
$smarty_debug = false;
## Custom Password Fields
# Change Custom Password Fields
$change_custompwdfield = array();
# Allow to override current settings with local configuration
if (file_exists (__DIR__ . '/config.inc.local.php')) {
require_once __DIR__ . '/config.inc.local.php';
}
# Smarty
if (!defined("SMARTY")) {
define("SMARTY", "/usr/share/php/smarty/Smarty.class.php");
}
# Set preset login from HTTP header $header_name_preset_login
$presetLogin = "";
if (isset($header_name_preset_login)) {
$presetLoginKey = "HTTP_".strtoupper(str_replace('-','_',$header_name_preset_login));
if (array_key_exists($presetLoginKey, $_SERVER)) {
$presetLogin = preg_replace("/[^a-zA-Z0-9-_@\.]+/", "", filter_var($_SERVER[$presetLoginKey], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH));
}
}
# Allow to override current settings with an extra configuration file, whose reference is passed in HTTP_HEADER $header_name_extra_config
if (isset($header_name_extra_config)) {
$extraConfigKey = "HTTP_".strtoupper(str_replace('-','_',$header_name_extra_config));
if (array_key_exists($extraConfigKey, $_SERVER)) {
$extraConfig = preg_replace("/[^a-zA-Z0-9-_]+/", "", filter_var($_SERVER[$extraConfigKey], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH));
if (strlen($extraConfig) > 0 && file_exists (__DIR__ . "/config.inc.".$extraConfig.".php")) {
require_once __DIR__ . "/config.inc.".$extraConfig.".php";
}
}
}
Someone can tell me what is wrong?
Hi,
I can't deploy new version of ssp (1.7.3), because during password changing I get error:
configuration as below:
Someone can tell me what is wrong?