[horde] Horde Dual Authentication Method

Michael J Rubinsky mrubinsk at horde.org
Mon Sep 2 03:03:19 UTC 2013 

Quoting Christian Felsing <pug at felsing.net>:

> Hello,
>
> while researching on Horde features, it seems to be possible to let
> Horde authenticate against something internal like IMP or client
> certificates. That means:
>
> 1st: If user presents valid certificate to Apache let him in w/o asking
> for username/password
> 2nd: Otherwise ask him for username/password and let e.g. an imap server
> do authentication
>
> Requirements for that strange(?) installation:
>
> One imap server which wants username/password and one imap server which
> does not need authentication (not visible to anything else than Horde)
> and a conditional config file
>
> /var/www/horde/config/conf.php
>
> ... (config stuff created by Horde Web admin)
> /* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */
> if (isset($_SERVER["HTTP_SSL_CLIENT_VERIFY"]) &&
> ($_SERVER["HTTP_SSL_CLIENT_VERIFY"]=='SUCCESS')) {
>   $conf['auth']['params']['requestuser'] = false;
>   $conf['auth']['driver'] = 'auto';
>   $conf['auth']['params']['username'] =
> $_SERVER["HTTP_SSL_CLIENT_S_DN_EMAIL"];
>   unset($conf['auth']['params']['app']);
>   $conf['mailer']['params']['host'] = '192.168.1.23';
>   $conf['mailer']['params']['auth'] = false;
> }
>
>
> Config stuff after
> /* CONFIG END. DO NOT CHANGE ANYTHING IN OR BEFORE THIS LINE. */
> overwrites Horde config made before, so this special feature does not
> break things made by Horde. Horde sees different config if user has
> authenticated by Apache with client certificate.
>
> In /var/www/horde/imp/config/backends.local.php we need a "conditional"
> backend:
>
> if (isset($_SERVER["HTTP_SSL_CLIENT_VERIFY"]) &&
> ($_SERVER["HTTP_SSL_CLIENT_VERIFY"]=='SUCCESS')) {
>   $servers['myimap'] = array(
>     'disabled' => false,
>     'name' => 'IMAP Server',
>     'hostspec' => '192.168.1.23',
>     'hordeauth' => 'full',
>     'protocol' => 'imap',
>     'port' => 143,
>     'secure' => 'false',
>     'maildomain' => '',
>     'quota' => array(
>         'driver' => 'imap',
>         'params' => array(
>             'hide_when_unlimited' => true,
>             'unit' => 'MB'
>         )
>     ),
>     'cache' => false,
>     'acl' => true,
>   );
> } else {
>   $servers['myimap'] = array(
>     'disabled' => false,
>     'name' => 'IMAP Server',
>     'hostspec' => '192.168.1.22',
>     'hordeauth' => 'full',
>     'protocol' => 'imap',
>     'port' => 143,
>     'secure' => 'false',
>     'maildomain' => '',
>     'quota' => array(
>         'driver' => 'imap',
>         'params' => array(
>             'hide_when_unlimited' => true,
>             'unit' => 'MB'
>         )
>     ),
>     'cache' => false,
>     'acl' => true,
>   );
> }
>
> Unfortunately that does not work with Active Sync, Issue #12611
> describes reason but it seems there is work in progress.

Official X509 certificate support has been implemented already in the  
horde_5_2 branch in Git. Both for Horde itself, and ActiveSync.  
Though, for what you describe above, this really won't help you. What  
you are doing is kind of defeating the purpose of requiring  
certificates, but I guess if it suits your needs then go for it.

The configuration is an either/or thing for Horde authentication, and  
an either/both thing for ActiveSync (meaning BOTH authentication is  
required not one or the other). To make it work in 5.2, you would  
probably need to use a different vhost for the certificate people and  
the user/pass people and use Horde's vhost support to use a different  
horde config files for each vhost. An advantage of using an actual  
Horde X509 Horde auth driver is it supports numerous hooks where you  
can do things like further validate the certificate from some sort of  
user<->certificate map or even take it further and implement a full  
user-certificate authentication management module.

That being said, the latest version of Horde_ActiveSync (being pushed  
right now), no longer immediately halts authentication when a password  
is not available, but instead passes things along to the configured  
auth driver; so you should still be able to hack something together as  
above.


-- 
mike

The Horde Project (www.horde.org)
mrubinsk at horde.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-keys
Size: 2200 bytes
Desc: PGP Public Key
URL: <http://lists.horde.org/archives/horde/attachments/20130901/eb9c10b7/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5849 bytes
Desc: S/MIME Signature
URL: <http://lists.horde.org/archives/horde/attachments/20130901/eb9c10b7/attachment-0001.bin>

More information about the horde mailing list