[horde] Horde Dual Authentication Method

Christian Felsing pug at felsing.net
Sun Sep 1 09:02:39 UTC 2013


Hello,

while researching on Horde features, it seems to be possible to let
Horde authenticate against something internal like IMP or client
certificates. That means:

1st: If user presents valid certificate to Apache let him in w/o asking
for username/password
2nd: Otherwise ask him for username/password and let e.g. an imap server
do authentication

Requirements for that strange(?) installation:

One imap server which wants username/password and one imap server which
does not need authentication (not visible to anything else than Horde)
and a conditional config file

/var/www/horde/config/conf.php

... (config stuff created by Horde Web admin)
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */
if (isset($_SERVER["HTTP_SSL_CLIENT_VERIFY"]) &&
($_SERVER["HTTP_SSL_CLIENT_VERIFY"]=='SUCCESS')) {
  $conf['auth']['params']['requestuser'] = false;
  $conf['auth']['driver'] = 'auto';
  $conf['auth']['params']['username'] =
$_SERVER["HTTP_SSL_CLIENT_S_DN_EMAIL"];
  unset($conf['auth']['params']['app']);
  $conf['mailer']['params']['host'] = '192.168.1.23';
  $conf['mailer']['params']['auth'] = false;
}


Config stuff after
/* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */
overwrites Horde config made before, so this special feature does not
break things made by Horde. Horde sees different config if user has
authenticated by Apache with client certificate.

In /var/www/horde/imp/config/backends.local.php we need a "conditional"
backend:

if (isset($_SERVER["HTTP_SSL_CLIENT_VERIFY"]) &&
($_SERVER["HTTP_SSL_CLIENT_VERIFY"]=='SUCCESS')) {
  $servers['myimap'] = array(
    'disabled' => false,
    'name' => 'IMAP Server',
    'hostspec' => '192.168.1.23',
    'hordeauth' => 'full',
    'protocol' => 'imap',
    'port' => 143,
    'secure' => 'false',
    'maildomain' => '',
    'quota' => array(
        'driver' => 'imap',
        'params' => array(
            'hide_when_unlimited' => true,
            'unit' => 'MB'
        )
    ),
    'cache' => false,
    'acl' => true,
  );
} else {
  $servers['myimap'] = array(
    'disabled' => false,
    'name' => 'IMAP Server',
    'hostspec' => '192.168.1.22',
    'hordeauth' => 'full',
    'protocol' => 'imap',
    'port' => 143,
    'secure' => 'false',
    'maildomain' => '',
    'quota' => array(
        'driver' => 'imap',
        'params' => array(
            'hide_when_unlimited' => true,
            'unit' => 'MB'
        )
    ),
    'cache' => false,
    'acl' => true,
  );
}

Unfortunately that does not work with Active Sync, Issue #12611
describes reason but it seems there is work in progress.

Reasons for this strange config: I want to migrate all my freemail users
from user/password auth to client certificates. Their horde preferences
should not be lost.

best regards
Christian


More information about the horde mailing list