6.0.0-git
2019-07-19

[#8269] Tries to bind to LDAP as each user that has a gallery
Summary Tries to bind to LDAP as each user that has a gallery
Queue Ansel
Queue Version 1.0
Type Bug
State Resolved
Priority 1. Low
Owners mrubinsk (at) horde (dot) org
Requester simon (at) simonandkate (dot) net
Created 2009-05-13 (3719 days ago)
Due
Updated 2009-06-16 (3685 days ago)
Assigned 2009-05-14 (3718 days ago)
Resolved 2009-05-15 (3717 days ago)
Milestone
Patch No

History
2009-06-16 13:38:26 Jan Schneider Comment #14 Reply to this comment
See the catch-all ticket #8353.
2009-05-16 05:27:33 simon (at) simonandkate (dot) net Comment #13 Reply to this comment
OK, I think I've figured this out...



Horde uses the setting $conf[prefs][params][writedn] (which it says is 
for "Bind to LDAP as which user when writing permissions to LDAP") to 
bind with to *read* users' HordePrefs when opening Ansel (for all 
Gallery owners), Wicked pages (for the page author) etc. Making that 
setting a DN with minimum read access to *all users* HordePrefs 
resolves these issues across all apps. Obviously if that user has only 
read access however you can't change any of your own prefs.



Setting it to a user with write access allows you to change your own 
prefs, but also gives you rights (albeit with no obvious ability) to 
change *any* users Prefs, not just read them.



Set it to either "Bind As Admin" (or "Use Search Credentials" with 
$conf[prefs][params][searchdn] set to a user with write access to all 
users' HordePrefs etc) and no more Error 53 on LDAP binds.





That doesn't seem right to me - this setting would appear to me to be 
for the purpose of *writing* one's own prefs, not for reading other 
users' prefs.



What I have done as a 'work-around' is use the 
cn=horde,ou=accounts,dc=simonandkate,dc=lan account that I have for 
groups management, it's got (in slapd.conf):



access to *

        attrs=@hordePerson

        by dn="cn=horde,ou=accounts,dc=simonandkate,dc=lan" write



So all these bugs that I have raised appear to me to come back to a 
Horde LDAP issue - with an LDAP backend it would appear that the 
$conf[prefs][params][writedn] parameter needs to have *all users* 
HordePerson attributes write access - using "Bind As User" in that 
setting will cause the failures logged in the bugs I have raised when 
trying to access another user's prefs.



I would much rather have it set to Bind As User, and have an 
additional setting that the Horde LDAP code uses to READ all users 
HordePrefs etc. Along the lines of a setting 
$conf[prefs][params][readdn] "User Horde uses to bind to LDAP to read 
other users' preferences".



Over to you PHP / LDAP gurus... :)



Simon
2009-05-16 03:23:31 simon (at) simonandkate (dot) net Comment #12 Reply to this comment
From looking at my LDAP server logs, I cannot see *any* anonymous
binds from Horde, even though the above entries are set to search via
an anonymous bind. When phpmyldapadmin does an anonymous bind I see:
Correction, I am seeing some anonymous binds, will dig out some log 
entries... the anonymous binds are immediately followed by attempts to 
bind as other users.
2009-05-15 23:02:37 simon (at) simonandkate (dot) net Comment #11 Reply to this comment
Added a configuration switch to allow turning this off. To the
original poster, this will fix your issue, but you might also want to
try providing a specific DN to bind with for searches. Otherwise,
there are a number of other places in Horde where this particular
issue will bite you.
Thanks Michael, I will put in the patches and see how that goes.



You are right - this is biting me in several places across Horde - The 
LDAP prefs backend is refusing these unauthenticated binds from at 
least 5 or 6 of the Horde apps for me. Some of them are patched 
(thanks Matthias Rolke) as they are simply trying to bind as *current* 
user but without password (e.g. Kronolith), but some of them are 
failing trying to read other user's preference data (e.g. Ansel and 
Turba).



When you say providing a specific DN to bind with for searches do you 
mean at Horde's $conf[prefs][params][searchdn] and 
$conf[prefs][params][searchpw]? Does the DN specified there need to be 
able to write to LDAP prefs or just read them? I'm trying to avoid 
putting privileged LDAP access data into config files on the Horde 
box. At the moment I have those entries blank, which says it should be 
binding "anonymously" - it doesn't appear to be doing so? An anonymous 
bind to read should work fine... a bind as an actual user but without 
password does not. I can do an anonymous bind login in phpldapadmin 
and read *all* the Horde prefs without an issue.



From looking at my LDAP server logs, I cannot see *any* anonymous 
binds from Horde, even though the above entries are set to search via 
an anonymous bind. When phpmyldapadmin does an anonymous bind I see:



May 16 09:00:32 server01 slapd[1156]: conn=138020 op=1 BIND dn="" method=128



All the Horde binds are as a user, even with the search DN set as 
blank. That does not seem to be correct?
2009-05-15 19:53:15 Michael Rubinsky Comment #10
Taken from Horde DevelopersHorde Developers
State ⇒ Resolved
Reply to this comment
Added a configuration switch to allow turning this off. To the 
original poster, this will fix your issue, but you might also want to 
try providing a specific DN to bind with for searches. Otherwise, 
there are a number of other places in Horde where this particular 
issue will bite you.
2009-05-15 14:02:29 Michael Rubinsky Comment #8 Reply to this comment
- perhaps a read could be
attempted as current user first rather than trying to bind as the
gallery owner?
I'm afraid not. At least not from within Ansel, as that would get you 
the current user's information, not the requested user.  I, 
unfortunately, do not know enough about our LDAP prefs driver to know 
if this is something that makes sense for the LDAP prefs 
driver....LDAP gurus?
Any chance of a quick and dirty hack to get around it? :)
Well, you could just force that part of the code to not execute by 
commenting it out, but I'll be adding a configuration switch to Ansel 
to allow shutting it off, I'll probably get to it later on this 
afternoon.


2009-05-15 13:49:40 Michael Rubinsky Comment #7 Reply to this comment
The reason the patch was rejected (Bug: 6212) was because of the way 
in which it was implemented, not because of the idea.  I agreed at the 
time (and still do) of the usefulness of your idea, but the 
implementation needs to be done in the Prefs class, and not done as a 
hackish wrapper around the prefs object done locally in client code.



Also, your idea for loading all needed users' prefs at once is good, 
but would need to be workable (or at least degrade gracefully) across 
all the available pref backends - otherwise we are still in the same 
boat we are in now.  If this is possible (I don't know enough about 
backends such as LDAP to know for sure), it might be a good approach 
for Horde 4, but I fear it's too late to do this for H3.
2009-05-15 10:13:35 Duck Comment #6 Reply to this comment
The fix for this will probably be to introduce a new configuration
switch to turn this feature on or off. "On" for the servers that are
using an SQL backend (or even LDAP, if not requiring individual user
credentials). and "off" for those servers that can't do this or don't
want to for performance reasons.
If you remember, time ago I prepared a patch to allow locking of this 
preferences and avoid all loading but was rejected. Now days, I think 
a better approach it will be to make the pref object load the 
preference for multiply users at once. This will minimize queries not 
just in Ansel (all list with from_addr or fullname etc). So Ansel will 
be able to first retrieve usernames of listed galleries and then load 
all pref values at once  (just one query instead of 9 queries in a 
default gallery list).
2009-05-15 01:36:37 Chuck Hagenbuch Summary ⇒ Tries to bind to LDAP as each user that has a gallery
 
2009-05-15 01:02:58 simon (at) simonandkate (dot) net Comment #5 Reply to this comment
Thanks Michael - that makes sense. My LDAP directory though is set for 
"* read all" except for password fields - perhaps a read could be 
attempted as current user first rather than trying to bind as the 
gallery owner?



Any chance of a quick and dirty hack to get around it? :)
2009-05-15 00:46:24 Michael Rubinsky Comment #4
Summary ⇒ Tries to bind to LDAP as each user that has a galleryTH
Reply to this comment
This is due to the fact there is a preference that allows a user to 
customize the text that is displayed when another user is viewing 
their list of galleries, so instead of "Michael's Galleries" I may 
want mine to say "The Rubinsky Family's Galleries".  In order to do 
this, Ansel needs to access the prefs of each user that has galleries 
to be displayed in the current view. This will obviously only work for 
pref storage backends that don't require an explicit login from the 
user whose prefs we are reading.



The fix for this will probably be to introduce a new configuration 
switch to turn this feature on or off. "On" for the servers that are 
using an SQL backend (or even LDAP, if not requiring individual user 
credentials). and "off" for those servers that can't do this or don't 
want to for performance reasons.
2009-05-15 00:08:41 simon (at) simonandkate (dot) net Comment #3 Reply to this comment
Horde Debug logs:



May 15 10:07:16 HORDE [debug] [ansel] Query By 
Horde_Share_sql_hierarchical: SELECT DISTINCT s.*  FROM ansel_shares s 
  LEFT JOIN ansel_shares_users AS u ON u.share_id = s.share_id LEFT 
JOIN ansel_shares_groups AS g ON g.share_id = s.share_id WHERE ( 
(s.share_owner = 'katie' OR (s.perm_creator & 2) OR (s.perm_default & 
2) OR ( u.user_uid = 'katie' AND (u.perm & 2)) OR (g.group_uid IN 
('cn=Everyone,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeMailAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeFileMgrAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeAddressBookAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeCalendarAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeTasksAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeNotesAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeBookmarksAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordePhotosAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeWikiAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeForumAccess,ou=hordegroups,dc=simonandkate,dc=lan') AND (g.perm & 2))) ) AND (s.share_parents = '' OR s.share_parents IS NULL) ORDER BY s.attribute_name ASC [pid 1582 on line 94 of 
"/usr/share/horde/lib/Horde/Share/sql_hierarchical.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] using gallery style: 
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of 
"/usr/share/horde/ansel/lib/Ansel.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs 
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]

May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error.  Details 
have been logged for the administrator. [pid 1582 on line 348 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]

May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs 
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]

May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error.  Details 
have been logged for the administrator. [pid 1582 on line 348 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] using gallery style: 
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of 
"/usr/share/horde/ansel/lib/Ansel.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] using gallery style: 
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of 
"/usr/share/horde/ansel/lib/Ansel.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [debug] [ansel] using gallery style: 
ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of 
"/usr/share/horde/ansel/lib/Ansel.php"]

May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 
on line 265 of "/usr/share/horde/lib/Horde/Perms.php"]

May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs 
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]

May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error.  Details 
have been logged for the administrator. [pid 1582 on line 348 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]

May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs 
writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]

May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error.  Details 
have been logged for the administrator. [pid 1582 on line 348 of 
"/usr/share/horde/lib/Horde/Prefs/ldap.php"]
2009-05-14 17:20:59 Jan Schneider Assigned to Michael Rubinsky
Assigned to Horde DevelopersHorde Developers
State ⇒ Assigned
 
2009-05-13 15:05:48 simon (at) simonandkate (dot) net Comment #2 Reply to this comment

[Show Quoted Text - 14 lines]
With an Ansel gallery made accessible to guest users, opening 
.../horde/ansel as a not logged in user returns the error as above.
2009-05-13 14:11:58 simon (at) simonandkate (dot) net Comment #1
Type ⇒ Bug
State ⇒ Unconfirmed
Priority ⇒ 1. Low
Summary ⇒ Tries to bind to LDAP as each user that has a gallery
Queue ⇒ Ansel
Milestone ⇒
Patch ⇒ No
Reply to this comment
Upon opening Ansel for the first time after logging on, Ansel attempts 
to bind to the preferences system (LDAP) as each user that has a 
Gallery in Ansel. This results in the error - "The preferences backend 
is currently unavailable and your preferences have not been loaded. 
You may continue to use the system with default settings."



LDAP logs show the following message for each gallery owner:



May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 BIND 
dn="uid=simon,ou=users,dc=simonandkate,dc=lan" method=128

May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 RESULT tag=97 
err=53 text=unauthenticated bind (DN with no password) disallowed




Saved Queries