Fri, 10 Apr 2026 17:02:22 +0000 https://bugs.horde.org/ticket/8269 Tries to bind to LDAP as each user that has a gallery Upon opening Ansel for the first time after logging on, Ansel attempts to bind to the preferences system (LDAP) as each user that has a Gallery in Ansel. This results in the error - "The preferences backend is currently unavailable and your preferences have not been loaded. You may continue to use the system with default settings." LDAP logs show the following message for each gallery owner: May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 BIND dn="uid=simon,ou=users,dc=simonandkate,dc=lan" method=128 May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed Wed, 13 May 2009 14:11:58 +0000 https://bugs.horde.org/ticket/8269#t54112 > Upon opening Ansel for the first time after logging on, Ansel > attempts to bind to the preferences system (LDAP) as each user that > has a Gallery in Ansel. This results in the error - "The preferences > backend is currently unavailable and your preferences have not been > loaded. You may continue to use the system with default settings." > > LDAP logs show the following message for each gallery owner: > > May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 BIND > dn="uid=simon,ou=users,dc=simonandkate,dc=lan" method=128 > May 14 00:03:12 server01 slapd[1156]: conn=111275 op=2 RESULT tag=97 > err=53 text=unauthenticated bind (DN with no password) disallowed > > With an Ansel gallery made accessible to guest users, opening .../horde/ansel as a not logged in user returns the error as above. Wed, 13 May 2009 15:05:48 +0000 https://bugs.horde.org/ticket/8269#t54114 Horde Debug logs: May 15 10:07:16 HORDE [debug] [ansel] Query By Horde_Share_sql_hierarchical: SELECT DISTINCT s.* FROM ansel_shares s LEFT JOIN ansel_shares_users AS u ON u.share_id = s.share_id LEFT JOIN ansel_shares_groups AS g ON g.share_id = s.share_id WHERE ( (s.share_owner = 'katie' OR (s.perm_creator & 2) OR (s.perm_default & 2) OR ( u.user_uid = 'katie' AND (u.perm & 2)) OR (g.group_uid IN ('cn=Everyone,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeMailAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeFileMgrAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeAddressBookAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeCalendarAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeTasksAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeNotesAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeBookmarksAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordePhotosAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeWikiAccess,ou=hordegroups,dc=simonandkate,dc=lan','cn=HordeForumAccess,ou=hordegroups,dc=simonandkate,dc=lan') AND (g.perm & 2))) ) AND (s.share_parents = '' OR s.share_parents IS NULL) ORDER BY s.attribute_name ASC [pid 1582 on line 94 of "/usr/share/horde/lib/Horde/Share/sql_hierarchical.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] using gallery style: ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of "/usr/share/horde/ansel/lib/Ansel.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details have been logged for the administrator. [pid 1582 on line 348 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details have been logged for the administrator. [pid 1582 on line 348 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] using gallery style: ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of "/usr/share/horde/ansel/lib/Ansel.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] using gallery style: ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of "/usr/share/horde/ansel/lib/Ansel.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [debug] [ansel] using gallery style: ansel_default in Ansel::getDefaultImage() [pid 1582 on line 1633 of "/usr/share/horde/ansel/lib/Ansel.php"] May 15 10:07:16 HORDE [debug] [ansel] ansel:admin not found. [pid 1582 on line 265 of "/usr/share/horde/lib/Horde/Perms.php"] May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details have been logged for the administrator. [pid 1582 on line 348 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] May 15 10:07:16 HORDE [error] [ansel] Error rebinding for prefs writing: [53]: Server is unwilling to perform [pid 1582 on line 270 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] May 15 10:07:16 HORDE [error] [ansel] Internal LDAP error. Details have been logged for the administrator. [pid 1582 on line 348 of "/usr/share/horde/lib/Horde/Prefs/ldap.php"] Fri, 15 May 2009 00:08:41 +0000 https://bugs.horde.org/ticket/8269#t54161 This is due to the fact there is a preference that allows a user to customize the text that is displayed when another user is viewing their list of galleries, so instead of "Michael's Galleries" I may want mine to say "The Rubinsky Family's Galleries". In order to do this, Ansel needs to access the prefs of each user that has galleries to be displayed in the current view. This will obviously only work for pref storage backends that don't require an explicit login from the user whose prefs we are reading. The fix for this will probably be to introduce a new configuration switch to turn this feature on or off. "On" for the servers that are using an SQL backend (or even LDAP, if not requiring individual user credentials). and "off" for those servers that can't do this or don't want to for performance reasons. Fri, 15 May 2009 00:46:24 +0000 https://bugs.horde.org/ticket/8269#t54163 Thanks Michael - that makes sense. My LDAP directory though is set for "* read all" except for password fields - perhaps a read could be attempted as current user first rather than trying to bind as the gallery owner? Any chance of a quick and dirty hack to get around it? :) Fri, 15 May 2009 01:02:58 +0000 https://bugs.horde.org/ticket/8269#t54165 > The fix for this will probably be to introduce a new configuration > switch to turn this feature on or off. "On" for the servers that are > using an SQL backend (or even LDAP, if not requiring individual user > credentials). and "off" for those servers that can't do this or don't > want to for performance reasons. If you remember, time ago I prepared a patch to allow locking of this preferences and avoid all loading but was rejected. Now days, I think a better approach it will be to make the pref object load the preference for multiply users at once. This will minimize queries not just in Ansel (all list with from_addr or fullname etc). So Ansel will be able to first retrieve usernames of listed galleries and then load all pref values at once (just one query instead of 9 queries in a default gallery list). Fri, 15 May 2009 10:13:35 +0000 https://bugs.horde.org/ticket/8269#t54176 The reason the patch was rejected (Bug: 6212) was because of the way in which it was implemented, not because of the idea. I agreed at the time (and still do) of the usefulness of your idea, but the implementation needs to be done in the Prefs class, and not done as a hackish wrapper around the prefs object done locally in client code. Also, your idea for loading all needed users' prefs at once is good, but would need to be workable (or at least degrade gracefully) across all the available pref backends - otherwise we are still in the same boat we are in now. If this is possible (I don't know enough about backends such as LDAP to know for sure), it might be a good approach for Horde 4, but I fear it's too late to do this for H3. Fri, 15 May 2009 13:49:40 +0000 https://bugs.horde.org/ticket/8269#t54178 > - perhaps a read could be > attempted as current user first rather than trying to bind as the > gallery owner? I'm afraid not. At least not from within Ansel, as that would get you the current user's information, not the requested user. I, unfortunately, do not know enough about our LDAP prefs driver to know if this is something that makes sense for the LDAP prefs driver....LDAP gurus? > Any chance of a quick and dirty hack to get around it? :) Well, you could just force that part of the code to not execute by commenting it out, but I'll be adding a configuration switch to Ansel to allow shutting it off, I'll probably get to it later on this afternoon. Fri, 15 May 2009 14:02:29 +0000 https://bugs.horde.org/ticket/8269#t54179 Changes have been made in CVS for this ticket: http://cvs.horde.org/diff.php/ansel/config/conf.xml?rt=horde&r1=1.58&r2=1.59&ty=u http://cvs.horde.org/diff.php/ansel/lib/Ansel.php?rt=horde&r1=1.584&r2=1.585&ty=u http://cvs.horde.org/diff.php/ansel/lib/Views/List.php?rt=horde&r1=1.35&r2=1.36&ty=u http://cvs.horde.org/diff.php/ansel/templates/group/owner.inc?rt=horde&r1=1.27&r2=1.28&ty=u Fri, 15 May 2009 19:39:52 +0000 https://bugs.horde.org/ticket/8269#t54197 Added a configuration switch to allow turning this off. To the original poster, this will fix your issue, but you might also want to try providing a specific DN to bind with for searches. Otherwise, there are a number of other places in Horde where this particular issue will bite you. Fri, 15 May 2009 19:53:15 +0000 https://bugs.horde.org/ticket/8269#t54199 > Added a configuration switch to allow turning this off. To the > original poster, this will fix your issue, but you might also want to > try providing a specific DN to bind with for searches. Otherwise, > there are a number of other places in Horde where this particular > issue will bite you. Thanks Michael, I will put in the patches and see how that goes. You are right - this is biting me in several places across Horde - The LDAP prefs backend is refusing these unauthenticated binds from at least 5 or 6 of the Horde apps for me. Some of them are patched (thanks Matthias Rolke) as they are simply trying to bind as *current* user but without password (e.g. Kronolith), but some of them are failing trying to read other user's preference data (e.g. Ansel and Turba). When you say providing a specific DN to bind with for searches do you mean at Horde's $conf[prefs][params][searchdn] and $conf[prefs][params][searchpw]? Does the DN specified there need to be able to write to LDAP prefs or just read them? I'm trying to avoid putting privileged LDAP access data into config files on the Horde box. At the moment I have those entries blank, which says it should be binding "anonymously" - it doesn't appear to be doing so? An anonymous bind to read should work fine... a bind as an actual user but without password does not. I can do an anonymous bind login in phpldapadmin and read *all* the Horde prefs without an issue. From looking at my LDAP server logs, I cannot see *any* anonymous binds from Horde, even though the above entries are set to search via an anonymous bind. When phpmyldapadmin does an anonymous bind I see: May 16 09:00:32 server01 slapd[1156]: conn=138020 op=1 BIND dn="" method=128 All the Horde binds are as a user, even with the search DN set as blank. That does not seem to be correct? Fri, 15 May 2009 23:02:37 +0000 https://bugs.horde.org/ticket/8269#t54207 > From looking at my LDAP server logs, I cannot see *any* anonymous > binds from Horde, even though the above entries are set to search via > an anonymous bind. When phpmyldapadmin does an anonymous bind I see: Correction, I am seeing some anonymous binds, will dig out some log entries... the anonymous binds are immediately followed by attempts to bind as other users. Sat, 16 May 2009 03:23:31 +0000 https://bugs.horde.org/ticket/8269#t54210 OK, I think I've figured this out... Horde uses the setting $conf[prefs][params][writedn] (which it says is for "Bind to LDAP as which user when writing permissions to LDAP") to bind with to *read* users' HordePrefs when opening Ansel (for all Gallery owners), Wicked pages (for the page author) etc. Making that setting a DN with minimum read access to *all users* HordePrefs resolves these issues across all apps. Obviously if that user has only read access however you can't change any of your own prefs. Setting it to a user with write access allows you to change your own prefs, but also gives you rights (albeit with no obvious ability) to change *any* users Prefs, not just read them. Set it to either "Bind As Admin" (or "Use Search Credentials" with $conf[prefs][params][searchdn] set to a user with write access to all users' HordePrefs etc) and no more Error 53 on LDAP binds. That doesn't seem right to me - this setting would appear to me to be for the purpose of *writing* one's own prefs, not for reading other users' prefs. What I have done as a 'work-around' is use the cn=horde,ou=accounts,dc=simonandkate,dc=lan account that I have for groups management, it's got (in slapd.conf): access to * attrs=@hordePerson by dn="cn=horde,ou=accounts,dc=simonandkate,dc=lan" write So all these bugs that I have raised appear to me to come back to a Horde LDAP issue - with an LDAP backend it would appear that the $conf[prefs][params][writedn] parameter needs to have *all users* HordePerson attributes write access - using "Bind As User" in that setting will cause the failures logged in the bugs I have raised when trying to access another user's prefs. I would much rather have it set to Bind As User, and have an additional setting that the Horde LDAP code uses to READ all users HordePrefs etc. Along the lines of a setting $conf[prefs][params][readdn] "User Horde uses to bind to LDAP to read other users' preferences". Over to you PHP / LDAP gurus... :) Simon Sat, 16 May 2009 05:27:33 +0000 https://bugs.horde.org/ticket/8269#t54211 See the catch-all ticket #8353. Tue, 16 Jun 2009 13:38:26 +0000 https://bugs.horde.org/ticket/8269#t54609