[horde] Horde + Radius + IMP autologin/preauthenticate hook

Rick Romero rick at havokmon.com
Thu Jul 13 00:54:20 UTC 2017 

Ok, I'm stuck. 

This is what I have - 
1. User authenticates to RADIUS. This is done in Horde - this works  
(and works with PrivacyIdea OTP).
2. IMP backends.local.php hordeauth is set to 'full' (usernames are  
email addresses).
3. imp/config/hooks.php:   has transparent type set and hardcodes a  
masterpassword (to account for OTP expirations)
    public function preauthenticate($userId, $credentials)
          {
              switch ($credentials['authMethod']) {
                 case 'transparent':
                          $credentials['server'] = 'server_' .  
substr($userId, 0, 1);
                           return array(
                                'credentials' => array(
                                        'password' => 'masterpassword',
                                        'transparent' => true
                                ),
                                'userId' => $userId
                           );

                          return true;
          }
This works.  It works great.  I'm happy.

But here's the rub - this only works on the local subnet.  If I  
connect from the internet, it fails.  Logs show:

Jul 12 19:05:48 beta HORDE5: [horde] Login success for  
rick at havokmon.com to horde (107.136.144.230) [pid 2626 on line 163 of  
"/usr/share/horde/login.php"]
Jul 12 19:05:50 beta HORDE5: [imp] [login] Mail server denied  
authentication. [pid 2662 on line 730 of  
"/usr/share/horde/imp/lib/Imap.php"]
Jul 12 19:05:50 beta HORDE5: Guest user is not authorized for Mail  
(Host: 107-136-144-230.lightspeed.milwwi.sbcglobal.net). [pid 2662 on  
line 324 of "/usr/share/php/Horde/Registry.php"]

But IMAP is NOT failing - logs show success. It's something internal to Horde.

I can force this to begin to work if I start creating Permissions for  
each app, and provide 'Guest' with full permissions.  This is what I'm  
finding as other's solutions as well. I'm concerned with doing this,  
all I want to do is set a master password for IMPs IMAP authentication  
because the stored OTP password is going to expire after use.   
Creating a whole set of permissions for 'Guest' (when Horde auth  
worked, I don't really think the user is a 'Guest') seems like  
overkill.  Especially because a local subnet login has no problems.  I  
don't have horde/conf.php blocks= or safe_ips= set to anything.

I must have missed something else - what did I miss?

Thanks,
Rick

More information about the horde mailing list