Tickets :: [#11387] horde_alarms tries always to login as first admin user but with an empty password

6.0.0-alpha10

5/14/25

Summary	horde_alarms tries always to login as first admin user but with an empty password
Queue	Horde Base
Queue Version	Git master
Type	Bug
State	Feedback
Priority	2. Medium
Owners
Requester	peter.meier+horde (at) immerda (dot) ch
Created	08/30/2012 (4640 days ago)
Due
Updated	07/16/2016 (3224 days ago)
Assigned	08/31/2012 (4639 days ago)
Resolved
Milestone
Patch	No

03/19/2014 06:08:58 AM	Michael Slusarz	Comment #10	Reply to this comment
Don't think this Horde_Imap_Client change is going to fix anything. Biggest difference is that a Horde_Imap_Client_Exception will be thrown instead of an InvalidArgumentException, but I don't think that is the underlying problem here. But this was a useful exercise to remind me that IMAP PREAUTH exists, so we can't require a password for the base Horde_Imap_Client_Base object constructor.

03/19/2014 06:07:22 AM	Git Commit	Comment #9	Reply to this comment
Changes have been made in Git (master): commit aa70fbed3dfee2f418a3e0e6028310b814c7e8d0 Author: Michael M Slusarz <slusarz@horde.org> Date: Wed Mar 19 00:04:37 2014 -0600 [mms] Password is no longer a necessary parameter. Possibly helps out in Ticket #11387 .../Imap_Client/lib/Horde/Imap/Client/Base.php \| 125 ++++++++++---------- .../Imap_Client/lib/Horde/Imap/Client/Socket.php \| 9 ++ .../lib/Horde/Imap/Client/Socket/Pop3.php \| 9 ++ framework/Imap_Client/package.xml \| 4 +- 4 files changed, 81 insertions(+), 66 deletions(-) http://git.horde.org/horde-git/-/commit/aa70fbed3dfee2f418a3e0e6028310b814c7e8d0

03/18/2014 07:51:20 PM	Michael Slusarz	Comment #8	Reply to this comment
We can't/won't allow blank passwords/authentication within Horde_Imap_Client since this is mandatory (for both POP3 and IMAP). Not to mention that it's still going to cause an error because authentication will fail. After dwelling on this a bit... I realize that this is an incorrect statement. A user can be preauthenticated at the IMAP level (PREAUTH), in which case neither username nor password is needed. But that being said, that's still not going to fix this ticket because it will simply result in authentication errors instead of an empty password error.

03/11/2014 08:32:29 PM	amessina (at) messinet (dot) com	Comment #7	Reply to this comment
[Show Quoted Text - 18 lines][Hide Quoted Text] Each time horde_alarms runs by cron, it tries to login as the first admin user, but with an empty, password. So we get tons of failed logins in the logs, plus this might lead to locking the account by the backend. We have the same problem. I understand the subsequent comments about needing a password for IMAP. But at least in our case, we only want alarms that are stored in SQL so I'm not sure why Horde needs to try (and fail) an IMAP login. A tentative solution for us is to set the 'load' parameter in the 'notify' call of /usr/bin/horde-alarms to false. This still seems to email the reminders correctly, and avoids IMAP authentication errors in the log. Maybe this could be made easier for users by accepting an argument (e.g. '-n' for 'no load') to /usr/bin/horde-alarms, as in the attached patch. I can confirm that this solution works well for me, as I'm not using an IMAP backend for the calendar. Not being intimately familiar with the Horde internals, I cannot comment on whether or not this is the right way to do this or not.

03/08/2014 01:26:17 PM	spamstop2 (at) terriertech (dot) com	Comment #6 New Attachment: horde-alarms.patch	Reply to this comment
Each time horde_alarms runs by cron, it tries to login as the first admin user, but with an empty, password. So we get tons of failed logins in the logs, plus this might lead to locking the account by the backend. We have the same problem. I understand the subsequent comments about needing a password for IMAP. But at least in our case, we only want alarms that are stored in SQL so I'm not sure why Horde needs to try (and fail) an IMAP login. A tentative solution for us is to set the 'load' parameter in the 'notify' call of /usr/bin/horde-alarms to false. This still seems to email the reminders correctly, and avoids IMAP authentication errors in the log. Maybe this could be made easier for users by accepting an argument (e.g. '-n' for 'no load') to /usr/bin/horde-alarms, as in the attached patch.

02/18/2014 09:25:10 PM	Michael Slusarz	Comment #5 Version ⇒ Git master	Reply to this comment
We could allow empty passwords in the general-purpose IMAP library and catch those earlier inside Horde-specific code, but even in Horde it might be allowed to login with an empty password, at least via the API. We can't/won't allow blank passwords/authentication within Horde_Imap_Client since this is mandatory (for both POP3 and IMAP). Not to mention that it's still going to cause an error because authentication will fail. This needs to be solved in the calling code. I don't know enough about the uses of transparent auth to make any changes in IMP's transparent code, but it seems like we could check for an empty password there and prevent an attempt at creating an IMAP object. Not sure if it fixes the issue with this ticket, but will remove at least one warning message.

01/08/2014 12:11:46 AM	amessina (at) messinet (dot) com	Comment #4	Reply to this comment
I am using LDAP authentication for a new horde-5.1.5 install (with IMP using hordeauth). Even so, it appears that horde_alarms tries an IMAP login: imap[27113]: starttls: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits new) no authentication saslauthd[1758]: do_request : NULL password received imap[27113]: badlogin: localhost [::1] PLAIN [SASL(-13): authentication failure: Password verification failed] Since I am not using IMP for authentication, I am not sure why this is occurring.

02/21/2013 11:20:01 AM	peter (dot) meier+horde (at) immerda (dot) ch	Comment #3	Reply to this comment
This is still a problem in the latest groupware version (5.0.4)

08/31/2012 11:50:04 AM	Jan Schneider	Comment #2 State ⇒ Feedback	Reply to this comment
Each time horde_alarms runs by cron, it tries to login as the first admin user, but with an empty, password. So we get tons of failed logins in the logs, plus this might lead to locking the account by the backend. This is the expected behavior if you use transparent authentication. With transparent authentication, the current credentials will be used to try to authenticate where necessary. To get administration rights when running CLI scripts, we need to authenticate, or at least fake authentication, as a real administrator though. See https://github.com/o-/horde/commit/3f916b63e59ee92611883f9e204a2d878c661c2f for an implementation of this check. This is not a viable solution, because it may very well be allowed to have an empty password. In ~~bug #10076~~ it was suggested that this is a duplicated of bug ~~#9733~~, however as we are on the latest versions, this is clearly still an issue. Looks like those were not duplicates then. I admit that this is a problem, but I don't see a proper and easy solution to this yet. We could allow empty passwords in the general-purpose IMAP library and catch those earlier inside Horde-specific code, but even in Horde it might be allowed to login with an empty password, at least via the API.

08/30/2012 09:23:19 PM	peter (dot) meier+horde (at) immerda (dot) ch	Comment #1 Milestone ⇒ State ⇒ Unconfirmed Patch ⇒ No Queue ⇒ Horde Base Summary ⇒ horde_alarms tries always to login as first admin user but with an empty password Type ⇒ Bug Priority ⇒ 2. Medium	Reply to this comment
Each time horde_alarms runs by cron, it tries to login as the first admin user, but with an empty, password. So we get tons of failed logins in the logs, plus this might lead to locking the account by the backend. Example log entries: 2012-08-30T23:03:42+02:00 NOTICE: HORDE [imp] PHP ERROR: Undefined index: password [pid 22832 on line 174 of "/var/www/vhosts/horde.example.ch/pear/php/Horde/Imap/Client/Base.php"] 2012-08-30T23:03:44+02:00 ERR: HORDE [imp] Mail server denied authentication. [pid 22832 on line 345 of "/var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php"] 2012-08-30T23:03:44+02:00 INFO: HORDE [imp] FAILED LOGIN for foo@example.com (Horde user foo@example.com) [] to {localhost:143 [imap]} [pid 22832 on line 176 of "/var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php"] 2012-08-30T23:03:46+02:00 ERR: HORDE [imp] Mail server denied authentication. [pid 22832 on line 345 of "/var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php"] 2012-08-30T23:03:46+02:00 INFO: HORDE [imp] FAILED LOGIN for foo@example.com (Horde user foo@example.com) [] to {localhost:143 [imap]} [pid 22832 on line 176 of "/var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php"] If we check in /var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php for an empty password an raise an Exception, we get the following exception: ==================== Fatal Error: Horde_Imap_Client requires a username and password. 1. Horde_Alarm->notify() /var/www/vhosts/horde.example.ch/pear/horde-alarms:22 2. Horde_Alarm->listAlarms() /var/www/vhosts/horde.example.ch/pear/php/Horde/Alarm.php:404 3. call_user_func() /var/www/vhosts/horde.example.ch/pear/php/Horde/Alarm.php:100 4. Horde_Core_Factory_Alarm->load() 5. Horde_Registry->listApps() /var/www/vhosts/horde.example.ch/pear/php/Horde/Core/Factory/Alarm.php:114 6. Horde_Registry->hasPermission() /var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:804 7. Horde_Registry->isAuthenticated() /var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:1439 8. Horde_Core_Auth_Application->transparent() /var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:1902 9. Horde_Registry->callAppMethod() /var/www/vhosts/horde.example.ch/pear/php/Horde/Core/Auth/Application.php:369 10. call_user_func_array() /var/www/vhosts/horde.example.ch/pear/php/Horde/Registry.php:1083 11. IMP_Application->authTransparent() 12. IMP_Auth::transparent() /var/www/vhosts/horde.example.ch/www/imp/lib/Application.php:387 13. IMP_Auth::authenticate() /var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php:135 14. IMP_Imap->createImapObject() /var/www/vhosts/horde.example.ch/www/imp/lib/Auth.php:88 15. Horde_Imap_Client::factory() /var/www/vhosts/horde.example.ch/www/imp/lib/Imap.php:138 16. Horde_Imap_Client_Socket->__construct() /var/www/vhosts/horde.example.ch/pear/php/Horde/Imap/Client.php:345 17. Horde_Imap_Client_Base->__construct() /var/www/vhosts/horde.example.ch/pear/php/Horde/Imap/Client/Socket.php:141 ==================== See https://github.com/o-/horde/commit/3f916b63e59ee92611883f9e204a2d878c661c2f for an implementation of this check. Installed versions: # pear -c /var/www/vhosts/horde.example.ch/pear.conf list -a INSTALLED PACKAGES, CHANNEL __URI: ================================== (no packages installed) INSTALLED PACKAGES, CHANNEL DOC.PHP.NET: ======================================== (no packages installed) INSTALLED PACKAGES, CHANNEL PEAR.HORDE.ORG: =========================================== PACKAGE VERSION STATE Horde_ActiveSync 1.2.7 stable Horde_Alarm 1.0.7 stable Horde_Argv 1.0.5 stable Horde_Auth 1.4.9 stable Horde_Autoloader 1.0.1 stable Horde_Browser 1.0.8 stable Horde_Cache 1.0.5 stable Horde_Cli 1.0.4 stable Horde_Compress 1.0.7 stable Horde_Constraint 1.0.1 stable Horde_Controller 1.0.2 stable Horde_Core 1.9.2 stable Horde_Crypt 1.1.2 stable Horde_Data 1.0.7 stable Horde_DataTree 1.0.1 stable Horde_Date 1.0.11 stable Horde_Date_Parser 1.0.2 stable Horde_Db 1.2.1 stable Horde_Editor 1.0.2 stable Horde_Exception 1.0.9 stable Horde_Feed 1.1.1 stable Horde_Form 1.1.0 stable Horde_Group 1.0.5 stable Horde_History 1.0.1 stable Horde_Http 1.1.1 stable Horde_Icalendar 1.1.2 stable Horde_Image 1.0.10 stable Horde_Imap_Client 1.5.7 stable Horde_Imsp 1.0.6 stable Horde_Injector 1.0.1 stable Horde_Itip 1.0.7 stable Horde_Kolab_Format 1.1.2 stable Horde_Kolab_Server 1.0.2 stable Horde_Kolab_Session 1.1.1 stable Horde_Kolab_Storage 1.1.0 stable Horde_Lock 1.0.1 stable Horde_Log 1.1.2 stable Horde_LoginTasks 1.0.3 stable Horde_Mail 1.2.0 stable Horde_Memcache 1.1.1 stable Horde_Mime 1.6.1 stable Horde_Mime_Viewer 1.0.8 stable Horde_Nls 1.1.6 stable Horde_Notification 1.0.1 stable Horde_Oauth 1.0.2 stable Horde_Pdf 1.0.2 stable Horde_Perms 1.0.7 stable Horde_Prefs 1.1.8 stable Horde_Rdo 1.2.0 stable Horde_Role 1.0.0 stable Horde_Routes 1.1.2 stable Horde_Rpc 1.0.4 stable Horde_Scribe 1.0.2 stable Horde_Secret 1.0.2 stable Horde_Serialize 1.0.2 stable Horde_Service_Facebook 1.1.3 stable Horde_Service_Twitter 1.1.4 stable Horde_Service_Weather 1.1.2 stable Horde_SessionHandler 1.0.5 stable Horde_Share 1.3.0 stable Horde_SpellChecker 1.0.1 stable Horde_Stream_Filter 1.1.0 stable Horde_Stream_Wrapper 1.0.1 stable Horde_Support 1.0.2 stable Horde_SyncMl 1.0.9 stable Horde_Template 1.0.1 stable Horde_Text_Diff 1.0.2 stable Horde_Text_Filter 1.1.5 stable Horde_Text_Filter_Csstidy 1.0.1 stable Horde_Text_Flowed 1.0.1 stable Horde_Thrift 1.0.1 stable Horde_Token 1.1.7 stable Horde_Translation 1.0.2 stable Horde_Tree 1.0.1 stable Horde_Url 1.0.2 stable Horde_Util 1.4.0 stable Horde_Vfs 1.0.9 stable Horde_View 1.0.1 stable Horde_Xml_Element 1.0.1 stable Horde_Xml_Wbxml 1.0.3 stable content 1.0.3 stable horde 4.0.15 stable imp 5.0.23 stable ingo 2.0.9 stable kronolith 3.0.17 stable mnemo 3.0.6 stable nag 3.0.8 stable passwd 4.0.1 stable timeobjects 1.0.7 stable turba 3.0.15 stable webmail 4.0.8 stable INSTALLED PACKAGES, CHANNEL PEAR.PHP.NET: ========================================= PACKAGE VERSION STATE Archive_Tar 1.3.10 stable Auth_SASL 1.0.6 stable Cache 1.5.6 stable Console_Color 1.0.3 stable Console_Getopt 1.3.1 stable Console_Table 1.1.4 stable Crypt_Blowfish 1.0.1 stable Crypt_CHAP 1.5.0 stable DB 1.7.14 stable Date 1.5.0a2 alpha Date_Holidays 0.21.6 alpha Date_Holidays_Austria 0.1.4 alpha Date_Holidays_Brazil 0.1.2 alpha Date_Holidays_Denmark 0.1.3 alpha Date_Holidays_Discordian 0.1.1 alpha Date_Holidays_EnglandWales 0.1.4 alpha Date_Holidays_Germany 0.1.2 alpha Date_Holidays_Iceland 0.1.2 alpha Date_Holidays_Ireland 0.1.3 alpha Date_Holidays_Italy 0.1.1 alpha Date_Holidays_Japan 0.1.2 alpha Date_Holidays_Netherlands 0.1.2 alpha Date_Holidays_Norway 0.1.2 alpha Date_Holidays_PHPdotNet 0.1.2 alpha Date_Holidays_Romania 0.1.2 alpha Date_Holidays_Slovenia 0.1.2 alpha Date_Holidays_Sweden 0.1.3 alpha Date_Holidays_UNO 0.1.3 beta Date_Holidays_USA 0.1.1 alpha Date_Holidays_Ukraine 0.1.2 alpha File_Find 1.3.1 stable HTTP_Request 1.4.4 stable HTTP_WebDAV_Server 1.0.0RC7 beta MDB2 2.4.1 stable Net_DNS2 1.2.2 stable Net_FTP 1.3.7 stable Net_IMAP 1.1.1 stable Net_SMTP 1.6.1 stable Net_Sieve 1.3.2 stable Net_Socket 1.0.10 stable Net_URL 1.0.15 stable PEAR 1.9.4 stable Services_Weather 1.4.6 stable Structures_Graph 1.0.4 stable Text_Figlet 1.0.2 stable XML_Parser 1.3.4 stable XML_SVG 1.1.0 stable XML_Serializer 0.20.2 beta XML_Util 1.2.1 stable INSTALLED PACKAGES, CHANNEL PECL.PHP.NET: ========================================= PACKAGE VERSION STATE APC 3.1.9 stable LZF 1.6.2 stable geoip 1.0.8 stable intl 2.0.1 stable memcache 2.2.6 stable pam 1.0.3 stable xdiff 1.4.1 stable There should be no login if it is run by cron. As a current workaround we have added a non-existing user as the first entry in conf.php -> $conf['auth']['admins'] = array(...); However, as this still produces a lot of failed login messages in horde's and the backend's log this is not an acceptable solution. In ~~bug #10076~~ it was suggested that this is a duplicated of ~~bug #9733~~, however as we are on the latest versions, this is clearly still an issue.