[Tickets #11387] Re: horde_alarms tries always to login as first admin user but with an empty password

bugs at horde.org bugs at horde.org
Fri Aug 31 11:50:04 UTC 2012 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/11387
------------------------------------------------------------------------------
  Ticket             | 11387
  Updated By         | Jan Schneider <jan at horde.org>
  Summary            | horde_alarms tries always to login as first admin user
                     | but with an empty password
  Queue              | Horde Base
  Version            | 4.0.15
  Type               | Bug
-State              | Unconfirmed
+State              | Feedback
  Priority           | 2. Medium
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


Jan Schneider <jan at horde.org> (2012-08-31 13:50) wrote:

> Each time horde_alarms runs by cron, it tries to login as the first  
> admin user, but with an empty, password. So we get tons of failed  
> logins in the logs, plus this might lead to locking the account by  
> the backend.

This is the expected behavior if you use transparent authentication.  
With transparent authentication, the current credentials will be used  
to try to authenticate where necessary. To get administration rights  
when running CLI scripts, we need to authenticate, or at least fake  
authentication, as a real administrator though.

> See  
> https://github.com/o-/horde/commit/3f916b63e59ee92611883f9e204a2d878c661c2f  
> for an implementation of this check.

This is not a viable solution, because it may very well be allowed to  
have an empty password.

> In bug #10076 it was suggested that this is a duplicated of bug  
> #9733, however as we are on the latest versions, this is clearly  
> still an issue.

Looks like those were not duplicates then.

I admit that this is a problem, but I don't see a proper and easy  
solution to this yet. We could allow empty passwords in the  
general-purpose IMAP library and catch those earlier inside  
Horde-specific code, but even in Horde it might be allowed to login  
with an empty password, at least via the API.

More information about the bugs mailing list