Univention Bugzilla – Bug 47225
No login to Horde possible after upgrading app to 5.2.17-1
Last modified: 2019-05-04 00:03:03 CEST
After upgrading the Horde app to 5.2.17-1 login isn't possible anymore due to a bug in the newly introduced pre-authentication check. That new check is part of the following file on the host: /var/lib/univention-appcenter/apps/horde/etc-horde/imp/hooks.php Here an LDAP connection is established with the following command: $ldapconn = ldap_connect("ldaps://$ldaphost", $ldapport); This whole command is wrong for two different reasons: 1. Wrong port number is used If `ldap_connect()` is used with an URI-style address as the first parameter, the second parameter (the port number) is simply ignored[1]. In effect this means that an LDAP connection is established to $ldaphost with the default port number which is 636 for the `ldaps://` scheme. As we know, Port 636 is the Samba 4 LDAP. Unfortunately the following search uses an LDAP filter tailored for the OpenLDAP, not the Samba 4 LDAP: $ldapfilter = "(&(|(uid=$euserId)(mailprimaryaddress=$euserId))(objectclass=univentionmail))"; The effect is that no entries are found. The function therefore returns the string "None" as the user name which is then used when authenticating against the IMAP server. If the port number should be taken into account, it must be part of the URI: $ldapconn = ldap_connect("ldaps://$ldaphost:$ldapport"); 2. Wrong port number in configuration for `ldaps://` schema Even if we change the `ldap_connect()` call to use the port number properly, this won't work because in the default configuration the port number is 7389. The effect is that PHP tries to establish an SSL connection to port 7389 (which only supports unencrypted connections and STARTTLS upgrades). The port number in the Horde configuration must therefore be 7636 if the `ldaps://` scheme is to be used. Corresponding forum thread: https://help.univention.com/t/cant-login-to-horde-after-upgrade-to-last-version-5-2-17-1/9059/5 This affects all users of the new version of the Horde app regardless of server configuration. [1] As confirmed by the PHP documentation: https://secure.php.net/manual/en/function.ldap-connect.php
ok, we never tested with samba :-( changed the authentication hook to use hostname and port (not uri) and to starttls before bind univention-mail-horde 9f2b9cfd00d2b7de39720b522045433714b63902 and a new horde app version 5.2.17-2 please test * horde login without samba * horde login with samba * app update
w/ Samba: OK w/o Samba: OK Upgrade: OK
The new version has been released.
Was this fixed in 5.2.17-3 or some later version that's not showing in updates yet? We had this recur recently in the -3 version. Had to go to settings and apply so people could log in.