| Summary | Tries to bind to LDAP as each user that has a gallery |
| Queue | Ansel |
| Queue Version | 1.0 |
| Type | Bug |
| State | Resolved |
| Priority | 1. Low |
| Owners | mrubinsk (at) horde (dot) org |
| Requester | simon (at) simonandkate (dot) net |
| Created | 05/13/2009 (5899 days ago) |
| Due | |
| Updated | 06/16/2009 (5865 days ago) |
| Assigned | 05/14/2009 (5898 days ago) |
| Resolved | 05/15/2009 (5897 days ago) |
| Github Issue Link | |
| Github Pull Request | |
| Milestone | |
| Patch | No |
ticket #8353.Horde uses the setting $conf[prefs][params][writedn] (which it says is
for "Bind to LDAP as which user when writing permissions to LDAP") to
bind with to *read* users' HordePrefs when opening Ansel (for all
Gallery owners), Wicked pages (for the page author) etc. Making that
setting a DN with minimum read access to *all users* HordePrefs
resolves these issues across all apps. Obviously if that user has only
read access however you can't change any of your own prefs.
Setting it to a user with write access allows you to change your own
prefs, but also gives you rights (albeit with no obvious ability) to
change *any* users Prefs, not just read them.
Set it to either "Bind As Admin" (or "Use Search Credentials" with
$conf[prefs][params][searchdn] set to a user with write access to all
users' HordePrefs etc) and no more Error 53 on LDAP binds.
That doesn't seem right to me - this setting would appear to me to be
for the purpose of *writing* one's own prefs, not for reading other
users' prefs.
What I have done as a 'work-around' is use the
cn=horde,ou=accounts,dc=simonandkate,dc=lan account that I have for
groups management, it's got (in slapd.conf):
access to *
attrs=@hordePerson
by dn="cn=horde,ou=accounts,dc=simonandkate,dc=lan" write
So all these bugs that I have raised appear to me to come back to a
Horde LDAP issue - with an LDAP backend it would appear that the
$conf[prefs][params][writedn] parameter needs to have *all users*
HordePerson attributes write access - using "Bind As User" in that
setting will cause the failures logged in the bugs I have raised when
trying to access another user's prefs.
I would much rather have it set to Bind As User, and have an
additional setting that the Horde LDAP code uses to READ all users
HordePrefs etc. Along the lines of a setting
$conf[prefs][params][readdn] "User Horde uses to bind to LDAP to read
other users' preferences".
Over to you PHP / LDAP gurus... :)
Simon
binds from Horde, even though the above entries are set to search via
an anonymous bind. When phpmyldapadmin does an anonymous bind I see:
entries... the anonymous binds are immediately followed by attempts to
bind as other users.
original poster, this will fix your issue, but you might also want to
try providing a specific DN to bind with for searches. Otherwise,
there are a number of other places in Horde where this particular
issue will bite you.
You are right - this is biting me in several places across Horde - The
LDAP prefs backend is refusing these unauthenticated binds from at
least 5 or 6 of the Horde apps for me. Some of them are patched
(thanks Matthias Rolke) as they are simply trying to bind as *current*
user but without password (e.g. Kronolith), but some of them are
failing trying to read other user's preference data (e.g. Ansel and
Turba).
When you say providing a specific DN to bind with for searches do you
mean at Horde's $conf[prefs][params][searchdn] and
$conf[prefs][params][searchpw]? Does the DN specified there need to be
able to write to LDAP prefs or just read them? I'm trying to avoid
putting privileged LDAP access data into config files on the Horde
box. At the moment I have those entries blank, which says it should be
binding "anonymously" - it doesn't appear to be doing so? An anonymous
bind to read should work fine... a bind as an actual user but without
password does not. I can do an anonymous bind login in phpldapadmin
and read *all* the Horde prefs without an issue.
From looking at my LDAP server logs, I cannot see *any* anonymous
binds from Horde, even though the above entries are set to search via
an anonymous bind. When phpmyldapadmin does an anonymous bind I see:
May 16 09:00:32 server01 slapd[1156]: conn=138020 op=1 BIND dn="" method=128
All the Horde binds are as a user, even with the search DN set as
blank. That does not seem to be correct?
State ⇒ Resolved
Taken from
original poster, this will fix your issue, but you might also want to
try providing a specific DN to bind with for searches. Otherwise,
there are a number of other places in Horde where this particular
issue will bite you.
http://cvs.horde.org/diff.php/ansel/config/conf.xml?rt=horde&r1=1.58&r2=1.59&ty=u
http://cvs.horde.org/diff.php/ansel/lib/Ansel.php?rt=horde&r1=1.584&r2=1.585&ty=u
http://cvs.horde.org/diff.php/ansel/lib/Views/List.php?rt=horde&r1=1.35&r2=1.36&ty=u
http://cvs.horde.org/diff.php/ansel/templates/group/owner.inc?rt=horde&r1=1.27&r2=1.28&ty=u
attempted as current user first rather than trying to bind as the
gallery owner?
the current user's information, not the requested user. I,
unfortunately, do not know enough about our LDAP prefs driver to know
if this is something that makes sense for the LDAP prefs
driver....LDAP gurus?
commenting it out, but I'll be adding a configuration switch to Ansel
to allow shutting it off, I'll probably get to it later on this
afternoon.
Bug: 6212) was because of the wayin which it was implemented, not because of the idea. I agreed at the
time (and still do) of the usefulness of your idea, but the
implementation needs to be done in the Prefs class, and not done as a
hackish wrapper around the prefs object done locally in client code.
Also, your idea for loading all needed users' prefs at once is good,
but would need to be workable (or at least degrade gracefully) across
all the available pref backends - otherwise we are still in the same
boat we are in now. If this is possible (I don't know enough about
backends such as LDAP to know for sure), it might be a good approach
for Horde 4, but I fear it's too late to do this for H3.
switch to turn this feature on or off. "On" for the servers that are
using an SQL backend (or even LDAP, if not requiring individual user
credentials). and "off" for those servers that can't do this or don't
want to for performance reasons.
preferences and avoid all loading but was rejected. Now days, I think
a better approach it will be to make the pref object load the
preference for multiply users at once. This will minimize queries not
just in Ansel (all list with from_addr or fullname etc). So Ansel will
be able to first retrieve usernames of listed galleries and then load
all pref values at once (just one query instead of 9 queries in a
default gallery list).
"* read all" except for password fields - perhaps a read could be
attempted as current user first rather than trying to bind as the
gallery owner?
Any chance of a quick and dirty hack to get around it? :)
Summary ⇒ Tries to bind to LDAP as each user that has a galleryTH
customize the text that is displayed when another user is viewing
their list of galleries, so instead of "Michael's Galleries" I may
want mine to say "The Rubinsky Family's Galleries". In order to do
this, Ansel needs to access the prefs of each user that has galleries
to be displayed in the current view. This will obviously only work for
pref storage backends that don't require an explicit login from the
user whose prefs we are reading.
The fix for this will probably be to introduce a new configuration
switch to turn this feature on or off. "On" for the servers that are
using an SQL backend (or even LDAP, if not requiring individual user
credentials). and "off" for those servers that can't do this or don't
want to for performance reasons.
May 15 10:07:16 HORDE [debug] [ansel] Query By
Horde_Share_sql_hierarchical: SELECT DISTINCT s.* FROM ansel_shares s
LEFT JOIN ansel_shares_users AS u ON u.share_id = s.share_id LEFT
JOIN ansel_shares_groups AS g ON g.share_id = s.share_id WHERE (
(s.share_owner = 'katie' OR (s.perm_creator & 2) OR (s.perm_default &
2) OR ( u.user_uid = 'katie' AND (u.perm & 2)) OR (g.group_uid IN
('cn=Everyone,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeMailAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeFileMgrAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeAddressBookAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeCalendarAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeTasksAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeNotesAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeBookmarksAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordePhotosAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeWikiAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeForumAccess,ou=hordegroups,dc=simonandkate,dc=lan') AND (g.perm & 2))) ) AND (s.share_parents = '' OR s.share_parents IS NULL) ORDER BY s.attribute_name ASC [pid 1582 on line 94 of
"/usr/share/horde/lib/Horde/Share/sql_hierarchical.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] using gallery style:
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of
"/usr/share/horde/ansel/lib/Ansel.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details
have been logged for the administrator. [pid 1582 on line 348 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details
have been logged for the administrator. [pid 1582 on line 348 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] using gallery style:
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of
"/usr/share/horde/ansel/lib/Ansel.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] using gallery style:
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of
"/usr/share/horde/ansel/lib/Ansel.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [debug] [ansel] using gallery style:
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of
"/usr/share/horde/ansel/lib/Ansel.php"]
May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]
May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details
have been logged for the administrator. [pid 1582 on line 348 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details
have been logged for the administrator. [pid 1582 on line 348 of
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
Assigned to
Assigned to Michael Rubinsky
.../horde/ansel as a not logged in user returns the error as above.
Priority ⇒ 1. Low
State ⇒ Unconfirmed
Patch ⇒ No
Milestone ⇒
Summary ⇒ Tries to bind to LDAP as each user that has a gallery
Type ⇒ Bug
Queue ⇒ Ansel
to bind to the preferences system (LDAP) as each user that has a
Gallery in Ansel. This results in the error - "The preferences backend
is currently unavailable and your preferences have not been loaded.
You may continue to use the system with default settings."
LDAP logs show the following message for each gallery owner:
May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 BIND
dn="uid=simon,ou=users,dc=simonandkate,dc=lan" method=128
May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 RESULT tag=97
err=53 text=unauthenticated bind (DN with no password) disallowed