[horde] User not authorized for Mail

James Mohr horde at jimmo.com
Tue Jul 11 16:00:39 UTC 2017 

Sorry about the previous message. I am not sure what happened.

Quoting "Maur=C3=ADcio Jos=C3=A9 T. Tecles" <mtecles at biof.ufrj.br>:

> Citando James Mohr <horde at jimmo.com>:
>
>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>> What authentication backend are you using for Horde? Are you   
>>> really  using HTTP authentication?
>>
>> On the page Authentication Settings in the Horde cconfiguration under
>> "$conf[auth][driver]" I have "HTTP (Basic Authentication/.htpasswd)
>> authentication".  Is there something else I need to change?
>>
>
> Why use .htpasswd if you intend to use an IMAP server?  See below (*).

Sorry for the misunderstanding. I obviously forget an important aspect
of this configuration. The entire server is protected using HTTP basic
authentication. Each user must first login through the HTTP basic
authentication before accessing Horde. Login through apache is
successful and I can access all of the other applications. Only access
to imp is not working. (User jimmo is not authorized for Mail)


>>>> In the system logs (journalctl) I see:
>>>>
>>>> [imp] [login] Server does not support TLS connections.
>>>>
>>>> That seems clear enough so after googling I changed    
>>>> backends.local.php so it now looks like this:
>>>>
>>>> // IMAP server
>>>> $servers['imap'] =3D array(
>>>>  'disabled' =3D> false,
>>>>  'name' =3D> 'localhost',
>>>>  'hostspec' =3D> 'myhost.mydomain.'tld,
>>>>  'hordeauth' =3D> false,
>>>>  'protocol' =3D> 'imap',
>>>>  'secure' =3D> 'false',
>>>> );
>>>
>>> Are you requiring your users to login separately to Email?
>>
>> Not intentionally. I have looked through the Horde and Imp
>> confifuration and I do not find any place to require users to login
>> separately to email.

What I meant was *IF* Horde is somehow configured so it is "requiring
your users to login separately to Email", it was unintentional on my
part. I do not what a separate login. I want users to login with the
basic http authentication and not have to login a second time. I have
a very old system where this worked and I am trying to get the same
configuration on a new system.

>
> Either you did not understand the question or I did not understand   
> what you want. If you are not going to to login separately to Email,  
>  I suggest configuring a Horde application (imp) to authenticate. Go  
>  to the "Authentication" tab and configure:
>
> $conf[auth][driver]: Let a Horde application handle authentication
>
> $conf[auth][params][app]: imp
>
> $conf[auth][admins]: "your_login"

To test the configuration I tried that. I get the login prompt but
cannot login.

Unfortunately, I cannot do anything at all at the moment, because I
cannot login at all. That is,whenj I load the Horder URL, I get the
login form but cannot login. I cannot change the authentication method
back to HTTP basic. I cannot find a file where this is changed. :-(


> (*) And that answers the question above. You are going to use Imp to  
>  authenticate against an IMAP server. As I understand, your users  
> are  Mail users, not HTTP users (although they are going to use a  
> web  interface - imp - to the mail service). See below (**).
>
> Be sure that your web server uses encryption (https) and configure   
> Horde to do so:
>
> URL Settings * $conf[use_ssl]:

Is this absolutely necessary in that this configuration will not work
without it? I would like to get this running first, before I add any
additional configuration.

>> Does it make a different if true/false are included in single-quotes?
>>
>>>>  'disabled' =3D> false,
>>>>  'secure' =3D> 'false',
>>
>>>> No change. My biggest question at this point is to what exactly   
>>>> is  Horde connecting. IMAP? POP3? My assumption is IMAP because   
>>>> of the  complete log entry:
>>>
>>> Yes, according to the above configuration stanza, you are   
>>> connecting  to an IMAP server running on 'myhost.mydomain.tld'.   
>>> I'm assuming the  misplaced quotation mark in your stanza is a   
>>> typo, as that would  cause a parse error in PHP when loaded.
>>
>> Yes. That was I typo when I changed the real domain in the email.
>>
>>>> Jun 24 16:32:37 sonne-new HORDE[3058]: [imp] [login] Server does   
>>>>  not support TLS connections. [pid 3058 on line 730 of    
>>>> "/data/home/user/public_html/horde/imp/lib/Imap.php"]
>>>
>>> You either need to configure your IMAP server to use TLS or   
>>> disable  it in your configuration.
>>
>> I though that I disabled it in backends.local.php with this line:
>>   'secure' =3D> 'false',
>>
>>> The password for the http authentication, the local user, are all
>>>> the same. sasldblistusers2 shows the user. My question here is   
>>>> what  format the users should have:
>>>> username at localhost
>>>> username at hostname
>>>> username at hostname.domain.tld
>>>> username at domain.tld
>>>
>>> I am confused as to exactly what authentication backend you are    
>>> using in Horde. As far as the general question about thr format of  
>>>   the users, that depends entirely on what the authentication   
>>> backend  is expecting. There is no one right answer.
>>
>> What would be correct for HTTP authentication?
>>
>
> Again, I think you did not understand the question.
> (**) You should authenticate via imap that you already tested.
> If you are going to use "username" or "username at ..." is up to you.

Obviously I cannot use one form of the login in the sasl DB
(saslpasswd2 -c) and then another form when I login. Where/how do make
changes if it "is up to you"? Where exactly is Horde getting error
message? From the imap server?

> Depending on what you want, you might need a different   
> authentication backend. Just try imp to handle authentication, as   
> explained above.
>
>>>> The mailbopx was created using cyradm and the permissions look like th=
is:
>>>> localhost.localdomain> listacl user.myuser
>>>> user.myuser lrswipkxtecda
>>>>
>>>> I have successully tested the username using telnet to connect to  
>>>>   ports 110(POP3) and 143 (IMAP), as well as with testsaslauthd.
>>>
>>> Port 143 is the TLS port for IMAP, so it seems that your server    
>>> *does* support this?
>>
>> Hmmmm.....Why then am I getting the error message "Server does not
>> support TLS connections"?
>>
>
> Port 143 can be used to login as plain text or with encryption. SASL  
>  and TLS are not the same thing.

Understood. So where exactly is Horde connecting at this point? To the
imap server?

> Are the webserver with Horde and the imap server one the same machine?
Yes. This is a single machine.

>
> Mauricio
>
>>> -- 
>>> mike
>>> The Horde Project
>>> http://www.horde.org
>>> https://www.facebook.com/hordeproject
>>> https://www.twitter.com/hordeproject
>>
>> Regards,
>> James
>>
>>
>> -- 
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
>
> -- 
>
> Maur=C3=ADcio Jos=C3=A9 T. Tecles
> Instituto de Biof=C3=ADsica Carlos Chagas Filho/UFRJ
> Av. Carlos Chagas Filho, 373
> N=C3=BAcleo de Inform=C3=A1tica
> CCS, Bloco G, sala G1-006
> Cidade Universit=C3=A1ria - Ilha do Fund=C3=A3o
> 21941-902, Rio de Janeiro - RJ
>
> mtecles at biof.ufrj.br
> Tel.: (21) 3938-6526 ou 3938-6544
>
> -- 
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org

More information about the horde mailing list