5.3.0-git
2014-10-22

[#11387] horde_alarms tries always to login as first admin user but with an empty password
Summary horde_alarms tries always to login as first admin user but with an empty password
Queue Horde Base
Queue Version Git master
Type Bug
State Feedback
Priority 2. Medium
Owners
Requester peter.meier+horde (at) immerda (dot) ch
Created 2012-08-30 (783 days ago)
Due
Updated 2014-03-19 (217 days ago)
Assigned 2012-08-31 (782 days ago)
Resolved
Milestone
Patch No

History
2014-03-19 06:08:58 Michael Slusarz Comment #10 Reply to this comment
Don't think this Horde_Imap_Client change is going to fix anything.   
Biggest difference is that a Horde_Imap_Client_Exception will be 
thrown instead of an InvalidArgumentException, but I don't think that 
is the underlying problem here.

But this was a useful exercise to remind me that IMAP PREAUTH exists, 
so we can't require a password for the base Horde_Imap_Client_Base 
object constructor.
2014-03-19 06:07:22 Git Commit Comment #9 Reply to this comment
Changes have been made in Git (master):

commit aa70fbed3dfee2f418a3e0e6028310b814c7e8d0
Author: Michael M Slusarz <slusarz@horde.org>
Date:   Wed Mar 19 00:04:37 2014 -0600

     [mms] Password is no longer a necessary parameter.

     Possibly helps out in Ticket #11387

  .../Imap_Client/lib/Horde/Imap/Client/Base.php     |  125 
++++++++++----------
  .../Imap_Client/lib/Horde/Imap/Client/Socket.php   |    9 ++
  .../lib/Horde/Imap/Client/Socket/Pop3.php          |    9 ++
  framework/Imap_Client/package.xml                  |    4 +-
  4 files changed, 81 insertions(+), 66 deletions(-)

http://git.horde.org/horde-git/-/commit/aa70fbed3dfee2f418a3e0e6028310b814c7e8d0
2014-03-18 19:51:20 Michael Slusarz Comment #8 Reply to this comment
We can't/won't allow blank passwords/authentication within 
Horde_Imap_Client since this is mandatory (for both POP3 and IMAP).   
Not to mention that it's still going to cause an error because 
authentication will fail.
After dwelling on this a bit... I realize that this is an incorrect 
statement.  A user can be preauthenticated at the IMAP level 
(PREAUTH), in which case neither username nor password is needed.

But that being said, that's still not going to fix this ticket because 
it will simply result in authentication errors instead of an empty 
password error.
2014-03-11 20:32:29 amessina (at) messinet (dot) com Comment #7 Reply to this comment

[Show Quoted Text - 18 lines]
I can confirm that this solution works well for me, as I'm not using 
an IMAP backend for the calendar.  Not being intimately familiar with 
the Horde internals, I cannot comment on whether or not this is the 
*right* way to do this or not.

2014-03-08 13:26:17 spamstop2 (at) terriertech (dot) com Comment #6
New Attachment: horde-alarms.patch Download
Reply to this comment
Each time horde_alarms runs by cron, it tries to login as the first 
admin user, but with an empty, password. So we get tons of failed 
logins in the logs, plus this might lead to locking the account by 
the backend.
We have the same problem.  I understand the subsequent comments about 
needing a password for IMAP.  But at least in our case, we only want 
alarms that are stored in SQL so I'm not sure why Horde needs to try 
(and fail) an IMAP login.

A tentative solution for us is to set the 'load' parameter in the 
'notify' call of /usr/bin/horde-alarms to false.  This still seems to 
email the reminders correctly, and avoids IMAP authentication errors 
in the log.

Maybe this could be made easier for users by accepting an argument 
(e.g. '-n' for 'no load') to /usr/bin/horde-alarms, as in the attached 
patch.

2014-02-18 21:25:10 Michael Slusarz Comment #5
Version ⇒ Git master
Reply to this comment
We could allow empty passwords in the general-purpose IMAP library 
and catch those earlier inside Horde-specific code, but even in 
Horde it might be allowed to login with an empty password, at least 
via the API.
We can't/won't allow blank passwords/authentication within 
Horde_Imap_Client since this is mandatory (for both POP3 and IMAP).   
Not to mention that it's still going to cause an error because 
authentication will fail.

This needs to be solved in the calling code.  I don't know enough 
about the uses of transparent auth to make any changes in IMP's 
transparent code, but it seems like we could check for an empty 
password there and prevent an attempt at creating an IMAP object.  Not 
sure if it fixes the issue with this ticket, but will remove at least 
one warning message.
2014-01-08 00:11:46 amessina (at) messinet (dot) com Comment #4 Reply to this comment
I am using LDAP authentication for a new horde-5.1.5 install (with IMP 
using hordeauth).  Even so, it appears that horde_alarms tries an IMAP 
login:

imap[27113]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 
bits new) no authentication
saslauthd[1758]: do_request      : NULL password received
imap[27113]: badlogin: localhost [::1] PLAIN [SASL(-13): 
authentication failure: Password verification failed]

Since I am not using IMP for authentication, I am not sure why this is 
occurring.
2013-02-21 11:20:01 peter (dot) meier+horde (at) immerda (dot) ch Comment #3 Reply to this comment
This is still a problem in the latest groupware version (5.0.4)
2012-08-31 11:50:04 Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
Each time horde_alarms runs by cron, it tries to login as the first 
admin user, but with an empty, password. So we get tons of failed 
logins in the logs, plus this might lead to locking the account by 
the backend.
This is the expected behavior if you use transparent authentication. 
With transparent authentication, the current credentials will be used 
to try to authenticate where necessary. To get administration rights 
when running CLI scripts, we need to authenticate, or at least fake 
authentication, as a real administrator though.
This is not a viable solution, because it may very well be allowed to 
have an empty password.
In bug #10076 it was suggested that this is a duplicated of bug 
#9733, however as we are on the latest versions, this is clearly 
still an issue.
Looks like those were not duplicates then.

I admit that this is a problem, but I don't see a proper and easy 
solution to this yet. We could allow empty passwords in the 
general-purpose IMAP library and catch those earlier inside 
Horde-specific code, but even in Horde it might be allowed to login 
with an empty password, at least via the API.
2012-08-30 21:23:19 peter (dot) meier+horde (at) immerda (dot) ch Comment #1
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Queue ⇒ Horde Base
Summary ⇒ horde_alarms tries always to login as first admin user but with an empty password
Type ⇒ Bug
Priority ⇒ 2. Medium
Reply to this comment
Each time horde_alarms runs by cron, it tries to login as the first 
admin user, but with an empty, password. So we get tons of failed 
logins in the logs, plus this might lead to locking the account by the 
backend.

Example log entries:

2012-08-30T23:03:42+02:00 NOTICE: HORDE [imp] PHP ERROR: Undefined 
index: password [pid 22832 on line 174 of 
"/var/www/vhosts/horde.example.ch/pear/php/Horde/Imap/Client/Base.php"]
2012-08-30T23:03:44+02:00 ERR: HORDE [imp] Mail server denied 
authentication. [pid 22832 on line 345 of 
"/var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php"]
2012-08-30T23:03:44+02:00 INFO: HORDE [imp] FAILED LOGIN for 
foo@example.com (Horde user foo@example.com) [] to {localhost:143 
[imap]} [pid 22832 on line 176 of 
"/var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php"]
2012-08-30T23:03:46+02:00 ERR: HORDE [imp] Mail server denied 
authentication. [pid 22832 on line 345 of 
"/var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php"]
2012-08-30T23:03:46+02:00 INFO: HORDE [imp] FAILED LOGIN for 
foo@example.com (Horde user foo@example.com) [] to {localhost:143 
[imap]} [pid 22832 on line 176 of 
"/var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php"]

If we check in /var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php 
for an empty password an raise an Exception, we get the following 
exception:

====================

Fatal Error:
Horde_Imap_Client requires a username and password.

  1. Horde_Alarm->notify() 
/var/www/vhosts/horde.example.ch/pear/horde-alarms:22
  2. Horde_Alarm->listAlarms() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Alarm.php:404
  3. call_user_func() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Alarm.php:100
  4. Horde_Core_Factory_Alarm->load()
  5. Horde_Registry->listApps() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Core/Factory/Alarm.php:114
  6. Horde_Registry->hasPermission() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:804
  7. Horde_Registry->isAuthenticated() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:1439
  8. Horde_Core_Auth_Application->transparent() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:1902
  9. Horde_Registry->callAppMethod() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Core/Auth/Application.php:369
10. call_user_func_array() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:1083
11. IMP_Application->authTransparent()
12. IMP_Auth::transparent() 
/var/www/vhosts/horde.example.ch/www/imp/lib/Application.php:387
13. IMP_Auth::authenticate() 
/var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php:135
14. IMP_Imap->createImapObject() 
/var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php:88
15. Horde_Imap_Client::factory() 
/var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php:138
16. Horde_Imap_Client_Socket->__construct() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Imap/Client.php:345
17. Horde_Imap_Client_Base->__construct() 
/var/www/vhosts/horde.example.ch/pear/php/Horde/Imap/Client/Socket.php:141

====================

See 
https://github.com/o-/horde/commit/3f916b63e59ee92611883f9e204a2d878c661c2f 
for an implementation of this check.

Installed versions:
# pear -c /var/www/vhosts/horde.example.ch/pear.conf list -a
INSTALLED PACKAGES, CHANNEL __URI:
==================================
(no packages installed)
INSTALLED PACKAGES, CHANNEL DOC.PHP.NET:
========================================
(no packages installed)

INSTALLED PACKAGES, CHANNEL PEAR.HORDE.ORG:
===========================================
PACKAGE                   VERSION STATE
Horde_ActiveSync          1.2.7   stable
Horde_Alarm               1.0.7   stable
Horde_Argv                1.0.5   stable
Horde_Auth                1.4.9   stable
Horde_Autoloader          1.0.1   stable
Horde_Browser             1.0.8   stable
Horde_Cache               1.0.5   stable
Horde_Cli                 1.0.4   stable
Horde_Compress            1.0.7   stable
Horde_Constraint          1.0.1   stable
Horde_Controller          1.0.2   stable
Horde_Core                1.9.2   stable
Horde_Crypt               1.1.2   stable
Horde_Data                1.0.7   stable
Horde_DataTree            1.0.1   stable
Horde_Date                1.0.11  stable
Horde_Date_Parser         1.0.2   stable
Horde_Db                  1.2.1   stable
Horde_Editor              1.0.2   stable
Horde_Exception           1.0.9   stable
Horde_Feed                1.1.1   stable
Horde_Form                1.1.0   stable
Horde_Group               1.0.5   stable
Horde_History             1.0.1   stable
Horde_Http                1.1.1   stable
Horde_Icalendar           1.1.2   stable
Horde_Image               1.0.10  stable
Horde_Imap_Client         1.5.7   stable
Horde_Imsp                1.0.6   stable
Horde_Injector            1.0.1   stable
Horde_Itip                1.0.7   stable
Horde_Kolab_Format        1.1.2   stable
Horde_Kolab_Server        1.0.2   stable
Horde_Kolab_Session       1.1.1   stable
Horde_Kolab_Storage       1.1.0   stable
Horde_Lock                1.0.1   stable
Horde_Log                 1.1.2   stable
Horde_LoginTasks          1.0.3   stable
Horde_Mail                1.2.0   stable
Horde_Memcache            1.1.1   stable
Horde_Mime                1.6.1   stable
Horde_Mime_Viewer         1.0.8   stable
Horde_Nls                 1.1.6   stable
Horde_Notification        1.0.1   stable
Horde_Oauth               1.0.2   stable
Horde_Pdf                 1.0.2   stable
Horde_Perms               1.0.7   stable
Horde_Prefs               1.1.8   stable
Horde_Rdo                 1.2.0   stable
Horde_Role                1.0.0   stable
Horde_Routes              1.1.2   stable
Horde_Rpc                 1.0.4   stable
Horde_Scribe              1.0.2   stable
Horde_Secret              1.0.2   stable
Horde_Serialize           1.0.2   stable
Horde_Service_Facebook    1.1.3   stable
Horde_Service_Twitter     1.1.4   stable
Horde_Service_Weather     1.1.2   stable
Horde_SessionHandler      1.0.5   stable
Horde_Share               1.3.0   stable
Horde_SpellChecker        1.0.1   stable
Horde_Stream_Filter       1.1.0   stable
Horde_Stream_Wrapper      1.0.1   stable
Horde_Support             1.0.2   stable
Horde_SyncMl              1.0.9   stable
Horde_Template            1.0.1   stable
Horde_Text_Diff           1.0.2   stable
Horde_Text_Filter         1.1.5   stable
Horde_Text_Filter_Csstidy 1.0.1   stable
Horde_Text_Flowed         1.0.1   stable
Horde_Thrift              1.0.1   stable
Horde_Token               1.1.7   stable
Horde_Translation         1.0.2   stable
Horde_Tree                1.0.1   stable
Horde_Url                 1.0.2   stable
Horde_Util                1.4.0   stable
Horde_Vfs                 1.0.9   stable
Horde_View                1.0.1   stable
Horde_Xml_Element         1.0.1   stable
Horde_Xml_Wbxml           1.0.3   stable
content                   1.0.3   stable
horde                     4.0.15  stable
imp                       5.0.23  stable
ingo                      2.0.9   stable
kronolith                 3.0.17  stable
mnemo                     3.0.6   stable
nag                       3.0.8   stable
passwd                    4.0.1   stable
timeobjects               1.0.7   stable
turba                     3.0.15  stable
webmail                   4.0.8   stable

INSTALLED PACKAGES, CHANNEL PEAR.PHP.NET:
=========================================
PACKAGE                    VERSION  STATE
Archive_Tar                1.3.10   stable
Auth_SASL                  1.0.6    stable
Cache                      1.5.6    stable
Console_Color              1.0.3    stable
Console_Getopt             1.3.1    stable
Console_Table              1.1.4    stable
Crypt_Blowfish             1.0.1    stable
Crypt_CHAP                 1.5.0    stable
DB                         1.7.14   stable
Date                       1.5.0a2  alpha
Date_Holidays              0.21.6   alpha
Date_Holidays_Austria      0.1.4    alpha
Date_Holidays_Brazil       0.1.2    alpha
Date_Holidays_Denmark      0.1.3    alpha
Date_Holidays_Discordian   0.1.1    alpha
Date_Holidays_EnglandWales 0.1.4    alpha
Date_Holidays_Germany      0.1.2    alpha
Date_Holidays_Iceland      0.1.2    alpha
Date_Holidays_Ireland      0.1.3    alpha
Date_Holidays_Italy        0.1.1    alpha
Date_Holidays_Japan        0.1.2    alpha
Date_Holidays_Netherlands  0.1.2    alpha
Date_Holidays_Norway       0.1.2    alpha
Date_Holidays_PHPdotNet    0.1.2    alpha
Date_Holidays_Romania      0.1.2    alpha
Date_Holidays_Slovenia     0.1.2    alpha
Date_Holidays_Sweden       0.1.3    alpha
Date_Holidays_UNO          0.1.3    beta
Date_Holidays_USA          0.1.1    alpha
Date_Holidays_Ukraine      0.1.2    alpha
File_Find                  1.3.1    stable
HTTP_Request               1.4.4    stable
HTTP_WebDAV_Server         1.0.0RC7 beta
MDB2                       2.4.1    stable
Net_DNS2                   1.2.2    stable
Net_FTP                    1.3.7    stable
Net_IMAP                   1.1.1    stable
Net_SMTP                   1.6.1    stable
Net_Sieve                  1.3.2    stable
Net_Socket                 1.0.10   stable
Net_URL                    1.0.15   stable
PEAR                       1.9.4    stable
Services_Weather           1.4.6    stable
Structures_Graph           1.0.4    stable
Text_Figlet                1.0.2    stable
XML_Parser                 1.3.4    stable
XML_SVG                    1.1.0    stable
XML_Serializer             0.20.2   beta
XML_Util                   1.2.1    stable

INSTALLED PACKAGES, CHANNEL PECL.PHP.NET:
=========================================
PACKAGE  VERSION STATE
APC      3.1.9   stable
LZF      1.6.2   stable
geoip    1.0.8   stable
intl     2.0.1   stable
memcache 2.2.6   stable
pam      1.0.3   stable
xdiff    1.4.1   stable


There should be no login if it is run by cron.

As a current workaround we have added a non-existing user as the first 
entry in conf.php -> $conf['auth']['admins'] = array(...); However, as 
this still produces a lot of failed login messages in horde's and the 
backend's log this is not an acceptable solution.

In bug #10076 it was suggested that this is a duplicated of bug #9733
however as we are on the latest versions, this is clearly still an 
issue.