[horde] Login process loop with composite driver http/ldap auth.

finalbeta at finalbeta.net finalbeta at finalbeta.net
Thu Oct 27 12:06:06 UTC 2016


Hi, note I'm not a programmer, so bare with me please. 

In login.php, the user is authenticated. 
But at each call to getAuth, false is returned because $user is null. 
login.php requires index.php, index.php initiates the registry, and it seems it is already initialised. 
index.php calls getAuth and this returns false because $user is still null. 

   */
    public function getAuth($format = null)
    {
        global $session;

        if (is_null($format) && !is_null($this->_cache['auth'])) {
        	Horde::log(sprintf('registry.php getAuth returning $this->_cache[atuh]'),'NOTICE');
            return $this->_cache['auth'];
        }

        if (!isset($session)) {
        	Horde::log(sprintf('registry.php getAuth No session set'),'NOTICE');
            return false;
        }

        if ($format == 'original') {
            return $session->exists('horde', 'auth/authId')
                ? $session->get('horde', 'auth/authId')
                : false;
        }

        $user = $session->get('horde', 'auth/userId');
        if (is_null($user)) {
        	Horde::log(sprintf('registry.php getAuth no user set'),'NOTICE');
            return false;                    <<<< This is returned every time.
        }


My debug log:
so we start on login.php
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 Request to isauthenticated in registry.php [pid 21064 on line 2178 of "/usr/share/pear/Horde/Registry.php"] <<<< we are authenticated on login.php
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 is authenticated in logon.php 1 [pid 21064 on line 69 of "/usr/share/horde/login.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] registry.php getAuth no user set [pid 21064 on line 2366 of "/usr/share/pear/Horde/Registry.php"] <<< shouldn't getAuth have the user already???
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] registry.php getAuth no user set [pid 21064 on line 2366 of "/usr/share/pear/Horde/Registry.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 3602 is authenticated in logon.php  [pid 21064 on line 72 of "/usr/share/horde/login.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] registry.php getAuth no user set [pid 21064 on line 2366 of "/usr/share/pear/Horde/Registry.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] Still running [pid 21064 on line 248 of "/usr/share/horde/login.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 Authenticated in logon.php 1 [pid 21064 on line 261 of "/usr/share/horde/login.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 logon.php index again  [pid 21064 on line 263 of "/usr/share/horde/login.php"] <<< Here login.php includes index.php
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 Registry appinit [pid 21064 on line 223 of "/usr/share/pear/Horde/Registry.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 registry.php Registry is already set [pid 21064 on line 225 of "/usr/share/pear/Horde/Registry.php"] <<< we already have a registry.
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] registry.php getAuth no user set [pid 21064 on line 2366 of "/usr/share/pear/Horde/Registry.php"] <<< no user is set, so getauth returns false
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 Registry appinit [pid 21064 on line 223 of "/usr/share/pear/Horde/Registry.php"]
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360 registry.php Registry is already set [pid 21064 on line 225 of "/usr/share/pear/Horde/Registry.php"] <<< we still have the registry
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] registry.php getAuth no user set [pid 21064 on line 2366 of "/usr/share/pear/Horde/Registry.php"] <<<< no user is set, so getauth returns false and index.php sends me back to logon.php
2016-10-27T11:46:25+00:00 NOTICE: HORDE [horde] 360Redirect to login page if there is no incomming URL and nobody is authed url below is prepended!!  [pid 21064 on line 66 of "/usr/share/horde/index.php"]


So all calls to getauth fail because $user is null. Eventhough the "registry" (I'm assuming this is a session) is set. 
So the $user is never stored? When/where should the user have been stored? 

Met vriendelijke groeten,

Jochen
finalbeta at Finalbeta.net



-----Original Message-----
From: horde [mailto:horde-bounces at lists.horde.org] On Behalf Of Jan Schneider
Sent: woensdag 26 oktober 2016 10:38
To: horde at lists.horde.org
Subject: Re: [horde] Login process loop with composite driver http/ldap auth.


Zitat von finalbeta <finalbeta at finalbeta.net>:

> Hello everyone.
>
>
>
> Thank you for this great product. I'm hoping to get some assistance 
> with the composite auth driver.
>
> I've successfully tested horde with "http (Basic 
> authentication/.htpasswd) authentication" and with "LDAP authentication" separately.
>
> Now I wish to combine the two so I can let users automatically logon 
> to the system (using the basic auth) and being able to manage them by 
> connecting to the LDAP.
>
> When I do, the Horde logon process is looping me between index.php and 
> login.php ( and I don't know why. )
>
>
>
> I'm running Horde v5.2.12 with Kronolith v4.2.18 and nag 4.2.11 on 
> CentOS7 and PHP 5.4.16/Apache.
>
> this is my auth config (I've changed some values as not to disclose 
> some information/please let me know if you need the entire config, I 
> didn’t want to make the mail too long):
>
>
>
> $conf['auth']['admins'] = array('someuser', 'alsosomeuser');
>
> $conf['auth']['checkip'] = true;
>
> $conf['auth']['checkbrowser'] = true;
>
> $conf['auth']['resetpassword'] = false;
>
> $conf['auth']['alternate_login'] = false;
>
> $conf['auth']['redirect_on_logout'] = false;
>
> $conf['auth']['list_users'] = 'both';
>
> $conf['auth']['driver'] = 'composite';
>
> $conf['auth']['params']['admin_driver']['driver'] = 'ldap';
>
> $conf['auth']['params']['admin_driver']['params'] = array(
>
> 'hostspec' => array('172.16.xXx.xXx'),
>
> 'port' => 389,
>
> 'tls' => false,
>
> 'version' => '3',
>
> 'binddn' => 'SOMEDOMAIN\horde_link',
>
> 'bindpw' => 'fSomePWDK',
>
> 'bindas' => 'admin',
>
> 'basedn' => 'OU=Agents,OU=SOMEOU,DC=SOMEDOMAIN,DC=LOCAL',
>
> 'scope' => 'sub',
>
> 'ad' => true,
>
> 'uid' => 'userPrincipalName',
>
> 'encryption' => 'ssha',
>
> 'newuser_objectclass' => array('shadowAccount', 'inetOrgPerson'),
>
> 'filter' => '(&(objectCategory=person)(objectClass=user))',
>
> 'filter_type' => 'filter',
>
> 'password_expiration' => 'no'
>
> );
>
> $conf['auth']['params']['auth_driver']['driver'] = 'http';
>
> $conf['auth']['params']['auth_driver']['params'] = array(
>
> 'show_encryption' => true,
>
> 'encryption' => 'ssha'
>
> );
>
> $conf['auth']['params']['count_bad_logins'] = false;
>
> $conf['auth']['params']['login_block'] = false;
>
> $conf['auth']['params']['login_block_count'] = 10;
>
> $conf['auth']['params']['login_block_time'] = 5;
>
>
>
> If I update the configuration while being logged in to horde as an 
> admin. I can in fact list the users in ldap. When I log out and try to 
> log in again, the login process loops. (redirect loop).
>
>
>
> I've had a look at the code, but I might fail to grasp some things here.
>
> In login.php I see that the user does get authenticated and at line 
> +-250 index.php is required (I added some own debug lines at the time 
> to make sure that was actually happening)
>
>
>
> if ($is_auth) {
>
>                 Horde::log(sprintf('Authenticated in logon.php %s', 
> $is_auth),'NOTICE');
>
>     if (!$vars->app) {
>
>                                Horde::log(sprintf('Taking me back to 
> the index'),'NOTICE');
>
>       require HORDE_BASE . '/index.php'; // <-- this line takes me 
> back to index.php
>
>         exit;
>
>
>
> But then I can see this inside the log output every time:
>
>      HORDE [horde] Redirect to login page if there is no incomming URL 
> and nobody is authed url below is prepended!!  [pid 20869 on line 62 
> of "/usr/share/horde/index.php"]
>
> So index.php is sending me back to login.php and so forth...
>
>
>
> Am I doing something wrong in my configuration? Is something else going on?
> (Is http and ldap auth not a supported combination?)
>
>
>
> Thank you for any assistance.
> Best regards,
> Jochen

This may only happen if $registry->isAuthenticated() in login.php succeeds (using the transparent http authentication), but
$registry->getAuth() in index.php fails.
You may want to trace Horde_Registry further to see why this happens.

-- 
Jan Schneider
The Horde Project
http://www.horde.org/

-- 
Horde mailing list
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: horde-unsubscribe at lists.horde.org



More information about the horde mailing list