[horde] Possible Bug in LDAP Auth

Andy Dorman adorman at ironicdesign.com
Tue Jan 3 23:43:34 UTC 2017

On 01/03/2017 03:48 PM, Ralph Ballier wrote:
>  Zitat von Jan Schneider <jan at horde.org>:
>> Please don't top-post.
>> Zitat von roellig at roellig-ltd.de:
>>> Quoting Jan Schneider <jan at horde.org>:
>>>> Zitat von roellig at roellig-ltd.de:
>>>>> Hi,
>>>>> the last Update from Horde is killing the LDAP auth.
>>>> What do you consider the "last update"? Which packages did you
>>>> update, and from which version?
>>> hi,
>>> from horde 5.2.11 to 5.2.12, am not sure if this is really correct
>>> but that is still so.
>> There haven't been any LDAP related changes between these versions.
>> You either must have updated other packages too, or this is not
>> related to the versions at all, but rather to your personal upgrade
>> method.
>>>>> In the config => LDAP is the $conf[ldap][user][objectclass] = *
>>>>> And this block the Login. In the ldap log i see the
>>>>> serach filter ist (&(objectclass=/A2)(uid=blauser)
>>>>> i have change vom * to shadowAccount an the LDAP Login is running.
>>>>> Sorry for my english
>> --
>> Jan Schneider
> I had the same problem. I have made an update to "Horde Groupware
> Webmail Edition 5.2.17" with "pear upgrade -a -B -c horde".
> On the configuration page was the only striking line
>  "Horde (horde) 5.2.13 Configuration is out of date"
>  Then I clicked the button "Update all configurations".
>  After that the line had disappeared and everything seemed to be all right.
>  But no one could log in afterwards.
>  I have the new file horde/config/conf.php compared with the previous
> file. I noticed that the new file is only three lines apart from the old
> file (they are new):
>  $ Conf ['ldap'] ['user'] ['uid'] = 'uid';
>  $ Conf ['ldap'] ['user'] ['objectclass'] = array ('*');
>  $ Conf ['ldap'] ['user'] ['filter_type'] = 'objectclass';
>  I do not know how these lines have come into the file. In any case, no
> login has been possible. I have reused the previous conf.php and thus
> there are no more problems.
>  But now it is still on the configuration page that the Horde
> configuration is out of date (see above).
>  The LDAP log contains an entry similar to that given by Roellig.
> Ralph

Just FWIW, we use the debian testing/unstable packages instead of Pear.

We too just updated to "Horde Groupware Webmail Edition 5.2.17" and did 
not see any big changes in the LDAP config...but then again we had 
already defined the three new lines mentioned above.

Here are our current ldap config lines that work fine:

$conf['ldap']['hostspec'] = array('localhost');
$conf['ldap']['port'] = 389;
$conf['ldap']['tls'] = false;
$conf['ldap']['timeout'] = 5;
$conf['ldap']['version'] = 3;
$conf['ldap']['user']['basedn'] = 'ou=addresses,o=antespam.com';
$conf['ldap']['user']['uid'] = 'uid';
$conf['ldap']['user']['objectclass'] = array('fmaddress');
$conf['ldap']['user']['filter_type'] = 'objectclass';
$conf['ldap']['bindas'] = 'user';
$conf['ldap']['useldap'] = true;

We filter using the fmaddress objectclass to ensure the records do not 
include users from our email security service (AnteSpam.com) that shares 
the LDAP db.

We did have trouble earlier this year with tls (that is why it is 
false), but since we use a local replica (ie, transactions do not 
traverse the network) we felt that was not a big deal.

Andy Dorman

CONFIDENTIALITY NOTICE: This message is for the named person's use only. 
It may contain confidential, proprietary or legally privileged 
information. No confidentiality or privilege is waived or lost by any 
erroneous transmission. If you receive this message in error, please 
immediately destroy it and notify the sender. You must not, directly or 
indirectly, use, disclose, distribute, or copy any part of this message 
if you are not the intended recipient.

More information about the horde mailing list