[horde] Not clearing cookies on logout after changing Password (horde 5.1.1 & passwd 5.0.0)?

Andy Dorman adorman at ironicdesign.com
Tue Aug 6 13:52:18 UTC 2013


On 08/06/2013 07:55 AM, Jan Schneider wrote:
>
> Zitat von Andy Dorman <adorman at ironicdesign.com>:
>
>> I think I know what the problem is...however I do not know if the
>> cause is something I have mis-configured or is an actual bug...I will
>> happily file a bug report if this is not something silly I have missed.
>>
>> At the moment my /etc/horde/passwd/backends.local.php has
>>
>> $backends['ldap'] = array(
>> 'disabled' => false,
>> 'driver' => 'ldap',
>> 'logout' => true,
>> ...
>>
>> And I am not sure it matters, but horde config has
>>
>> $conf['auth']['redirect_on_logout'] = false;
>> $conf['auth']['driver'] = 'ldap';
>>
>> When I change my password, the password is changed as it should be and
>> I am redirected to
>>
>> /login.php?url=http%3A%2F%2Fbeta.mail.comehome.net%2Fpasswd%2F&horde_logout_token=GgBd9tNLi4biDUXg49qhuA2&logout_reason=5&logout_msg=Your%20password%20has%20been%20succesfully%20changed.%20You%20need%20to%20re-login%20to%20the%20system%20with%20your%20new%20password.
>>
>>
>> Except when I get here, I get the error at the end of this email on my
>> web page.
>>
>> I can easily FIX this by clearing out my cookies for this domain and
>> reloading the URL...then I get the proper login form and the note at
>> the top about logging in again after changing my password.
>>
>> So it appears to me that whatever should be clearing my browser
>> cookies is not doing it...OR...is there a config setting I am missing?
>>
>> Thanks for any ideas you may have.
>
> Does it work if you log out manually?
>

Excellent question!  Yes.  Logging out manually works great with both FF 
and Chrome.  It is only with the password change that I have to manually 
clear cookies before I can log back in.

The failure changes if passwd/backends.local.php has 'logout' => false.

With logout => false and Chrome at 
http://beta.mail.comehome.net/...After changing my password, the next 
URL I saw was http://beta.mail.comehome.net/passwd/ with this error:

> A fatal error has occurred
>
> Mail server denied authentication.
>
>  1. Passwd_Basic->status() /usr/share/horde/passwd/index.php:22
>  2. Horde_Notification_Handler->notify() /usr/share/horde/passwd/lib/Basic.php:83
>  3. IMP_Notification_Handler_Decorator_NewmailNotify->notify() /usr/share/php/Horde/Notification/Handler.php:317
>  4. IMP_Imap->getNamespace() /usr/share/horde/imp/lib/Notification/Handler/Decorator/NewmailNotify.php:58
>  5. IMP_Imap->getNamespaceList() /usr/share/horde/imp/lib/Imap.php:407
>  6. IMP_Imap->getNamespaces() /usr/share/horde/imp/lib/Imap.php:385
>  7. IMP_Imap->__call() /usr/share/horde/imp/lib/Imap.php:385
>  8. IMP_Imap_Exception->authException() /usr/share/horde/imp/lib/Imap.php:572
>  9. Passwd_Basic->status() /usr/share/horde/passwd/index.php:22
> 10. Horde_Notification_Handler->notify() /usr/share/horde/passwd/lib/Basic.php:83
> 11. IMP_Notification_Handler_Decorator_NewmailNotify->notify() /usr/share/php/Horde/Notification/Handler.php:317
> 12. IMP_Imap->getNamespace() /usr/share/horde/imp/lib/Notification/Handler/Decorator/NewmailNotify.php:58
> 13. IMP_Imap->getNamespaceList() /usr/share/horde/imp/lib/Imap.php:407
> 14. IMP_Imap->getNamespaces() /usr/share/horde/imp/lib/Imap.php:385
> 15. IMP_Imap->__call() /usr/share/horde/imp/lib/Imap.php:385
> 16. Passwd_Basic->status() /usr/share/horde/passwd/index.php:22
> 17. Horde_Notification_Handler->notify() /usr/share/horde/passwd/lib/Basic.php:83
> 18. IMP_Notification_Handler_Decorator_NewmailNotify->notify() /usr/share/php/Horde/Notification/Handler.php:317
> 19. IMP_Imap->getNamespace() /usr/share/horde/imp/lib/Notification/Handler/Decorator/NewmailNotify.php:58
> 20. IMP_Imap->getNamespaceList() /usr/share/horde/imp/lib/Imap.php:407
> 21. IMP_Imap->getNamespaces() /usr/share/horde/imp/lib/Imap.php:385
> 22. IMP_Imap->__call() /usr/share/horde/imp/lib/Imap.php:385
> 23. call_user_func_array() /usr/share/horde/imp/lib/Imap.php:569
> 24. Horde_Imap_Client_Base->getNamespaces()
> 25. Horde_Imap_Client_Base->login() /usr/share/php/Horde/Imap/Client/Base.php:679
> 26. Horde_Imap_Client_Socket->_login() /usr/share/php/Horde/Imap/Client/Base.php:767
> Details
>
> The full error message is logged in Horde's log file, and is shown below only to administrators. Non-administrative users will not see error details.

My error log had this

2013-08-06T08:20:22.737235-05:00 yorick HORDE: [imp] Mail server denied 
authentication. [pid 29720 on line 94 of 
"/usr/share/horde/imp/lib/Imap/Exception.php"]
2013-08-06T08:20:23.338162-05:00 yorick HORDE: Bind failed: Invalid 
credentials [pid 29720 on line 247 of "/usr/share/php/Horde/Ldap.php"]

If I go to the root/login page I get the error below until I clear my 
cookies.

> A fatal error has occurred
>
> Bind failed: Invalid credentials
>
> 1. Horde_Registry->isAuthenticated() /usr/share/horde/login.php:62
> 2. Horde_Registry->checkExistingAuth() /usr/share/php/Horde/Registry.php:2149
> 3. Horde_Core_Factory_Auth->create() /usr/share/php/Horde/Registry.php:2512
> 4. Horde_Core_Factory_Auth->_create() /usr/share/php/Horde/Core/Factory/Auth.php:61
> 5. Horde_Core_Factory_Ldap->create() /usr/share/php/Horde/Core/Factory/Auth.php:165
> 6. Horde_Ldap->bind() /usr/share/php/Horde/Core/Factory/Ldap.php:79
> Details
>
> The full error message is logged in Horde's log file, and is shown below only to administrators. Non-administrative users will not see error details.
>
> Horde_Ldap_Exception Object
> (
>     [details] =>
>     [logged] => 1
>     [_logLevel:protected] => 0
>     [message:protected] => Bind failed: Invalid credentials
>     [string:Exception:private] =>
>     [code:protected] => 49
>     [file:protected] => /usr/share/php/Horde/Ldap.php
>     [line:protected] => 247
>     [trace:Exception:private] => Array
>         (
>             [0] => Array
>                 (
>                     [file] => /usr/share/php/Horde/Core/Factory/Ldap.php
>                     [line] => 79
>                     [function] => bind
>                     [class] => Horde_Ldap
>                     [type] => ->
>                     [args] => Array
>                         (
>                             [0] => uid=andydorman at comehome.net,ou=addresses,o=antespam.com
>                             [1] => myoldpassword
>                         )
>                 )
>             [1] => Array
>                 (
>                     [file] => /usr/share/php/Horde/Core/Factory/Auth.php
>                     [line] => 165
>                     [function] => create
>                     [class] => Horde_Core_Factory_Ldap
>                     [type] => ->
>                     [args] => Array
>                         (
>                             [0] => horde
>                             [1] => auth
>                         )
>                 )
>             [2] => Array
>                 (
>                     [file] => /usr/share/php/Horde/Core/Factory/Auth.php
>                     [line] => 61
>                     [function] => _create
>                     [class] => Horde_Core_Factory_Auth
>                     [type] => ->
>                     [args] => Array
>                         (
>                             [0] => ldap
>                         )
>                 )
>             [3] => Array
>                 (
>                     [file] => /usr/share/php/Horde/Registry.php
>                     [line] => 2512
>                     [function] => create
>                     [class] => Horde_Core_Factory_Auth
>                     [type] => ->
>                     [args] => Array
>                         (
>                         )
>                 )
>             [4] => Array
>                 (
>                     [file] => /usr/share/php/Horde/Registry.php
>                     [line] => 2149
>                     [function] => checkExistingAuth
>                     [class] => Horde_Registry
>                     [type] => ->
>                     [args] => Array
>                         (
>                             [0] => horde
>                         )
>                 )
>             [5] => Array
>                 (
>                     [file] => /usr/share/horde/login.php
>                     [line] => 62
>                     [function] => isAuthenticated
>                     [class] => Horde_Registry
>                     [type] => ->
>                     [args] => Array
>                         (
>                         )
>                 )
>         )
>     [previous:Exception:private] =>
> )

I reset logout => true and it went back to the initial behavior. ie, it 
sends me to the URL below and responds with an error "Bind failed: 
Invalid credentials"

http://beta.mail.comehome.net/login.php?url=http%3A%2F%2Fbeta.mail.comehome.net%2Fpasswd%2F&horde_logout_token=PKU5ZAHWdYso18ptYnfPmA1&logout_reason=5&logout_msg=Your%20password%20has%20been%20succesfully%20changed.%20You%20need%20to%20re-login%20to%20the%20system%20with%20your%20new%20password.

Hmmmm, I could be wrong, but it looks like the bind failed in both cases 
(logout => true|false) because it tried to bind with my old password. 
Again, I do not know the code well enough yet to suggest if this is a 
potential cause or just a symptom of the problem.

Please let me know if you want me to try any changes to our 
passwd/backends.local.php below.  This is a beta test site, no no harm 
done by down time.

> $backends['ldap'] = array(
>     'disabled' => false,
>     'driver' => 'ldap',
>     'logout' => true,
>     'name' => 'FanMailPlus',
>     'params' => array(
>         'host' => 'ldap.ironicdesign.com',
>         'port' => 389,
>         'basedn' => 'ou=addresses,o=antespam.com',
>         // LDAP object key attribute.
>         'uid' => 'uid',
>         // The attribute storing the password.
>         'attribute' => 'userPassword',
>         // These attributes will enable shadow password policies.
>         // 'shadowlastchange' => 'shadowLastChange',
>         // 'shadowmin' => 'shadowMin',
>         // This will be appended to the username when looking for the userdn.
>         'realm' => '',
>         // Use this filter when searching for the user's DN.
>         'filter' => '',
>         // Hash method to use when storing the password
>         'encryption' => 'plain',
>         // Whether to enable TLS for this LDAP connection
>         // Note: make sure that the host matches cn in the server certificate.
>         'tls' => false,
>         // Determine the user's DN. %u will be replaced by the user's ID.
>         'userdn' => 'uid=%u,ou=addresses,o=antespam.com'
>     ),
>     'policy' => array(
>         'minLength' => 8,
>         'minNumeric' => 1,
>         'maxLength' => 128
>     ),
>     'preferred' => '',
> );

Thanks again.

-- 
Andy Dorman
FanMail.com
Ironic Design, Inc.
AnteSpam.com, HomeFreeMail.com, ComeHome.net

CONFIDENTIALITY NOTICE: This message is for the named person's use only. 
It may contain confidential, proprietary or legally privileged 
information. No confidentiality or privilege is waived or lost by any 
erroneous transmission. If you receive this message in error, please 
immediately destroy it and notify the sender. You must not, directly or 
indirectly, use, disclose, distribute, or copy any part of this message 
if you are not the intended recipient.



More information about the horde mailing list