[horde] User not authorized for Mail

Maurício José T. Tecles mtecles at biof.ufrj.br
Thu Jul 13 15:04:13 UTC 2017


Citando James Mohr <horde at jimmo.com>:

> Thank you *very* much for your patience.
>
> Quoting "Maur=C3=ADcio Jos=C3=A9 T. Tecles" <mtecles at biof.ufrj.br>:
>
>> Citando James Mohr <horde at jimmo.com>:
>>
>>> Sorry about the previous message. I am not sure what happened.
>>>
>>> Quoting "Maur=3DC3=3DADcio Jos=3DC3=3DA9 T. Tecles" <mtecles at biof.ufrj.b=
> r>:
>>>
>>>> Citando James Mohr <horde at jimmo.com>:
>>>>
>>>>> Quoting Michael J Rubinsky <mrubinsk at horde.org>:
>>>>>> What authentication backend are you using for Horde? Are you    
>>>>>> really  using HTTP authentication?
>>>>>
>>>>> On the page Authentication Settings in the Horde cconfiguration under
>>>>> "$conf[auth][driver]" I have "HTTP (Basic Authentication/.htpasswd)
>>>>> authentication".  Is there something else I need to change?
>>>>>
>>>>
>>>> Why use .htpasswd if you intend to use an IMAP server?  See below (*).
>>>
>>> Sorry for the misunderstanding. I obviously forget an important aspect
>>> of this configuration. The entire server is protected using HTTP basic
>>> authentication. Each user must first login through the HTTP basic
>>> authentication before accessing Horde. Login through apache is
>>> successful and I can access all of the other applications. Only access
>>> to imp is not working. (User jimmo is not authorized for Mail)
>>>
>>
>> OK, but understand that those users may use Horde applications  
>> other  than IMP. IMP is an application to use mail (POP, IMAP,  
>> SMTP) and,  for that to work, IMP must use the credetials of your  
>> mail user,  wich may differ from your ".htpasswd". Because you  
>> configured IMP  'protocol' =3D> 'imap', the user must be (login as)  
>> an IMAP user. In  other words, you are requiring our users to login  
>> separately to  Email (IMP).
>
> Understood . The thing is, previously when I logged in, I was able to
> user the other applications, just not imp.
>
> I can login successfully using "telnet localhost 143".
>
> . login myusername mypasswd
>
> The response is:
>
> . OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE ACL RIGHTS=3Dkxte QUOTA
> MAILBOX-REFERRALS NAMESPACE UIDPLUS NO_ATOMIC_RENAME UNSELECT CHILDREN
> MULTIAPPEND BINARY CATENATE CONDSTORE ESEARCH SORT SORT=3DMODSEQ
> SORT=3DDISPLAY THREAD=3DORDEREDSUBJECT THREAD=3DREFERENCES ANNOTATEMORE
> LIST-EXTENDED WITHIN QRESYNC SCAN XLIST URLAUTH URLAUTH=3DBINARY
> X-NETSCAPE LOGINDISABLED COMPRESS=3DDEFLATE IDLE] User logged in
> SESSIONID=3D<sonne-new-25030-1499933333-1>
>
> When I load Horde, I input the same username and password, but I
> always get "login failed". The log looks like this:
>
> Jul 13 10:20:15 sonne-new HORDE[16296]: Load config file (conf.php;
> app: horde) [pid 16296 on line 110 of
> "/usr/share/php5/PEAR/Horde/Registry/Loadconfig.php"]
> Jul 13 10:20:15 sonne-new HORDE[16296]: [imp] Load config file
> (conf.php; app: imp) [pid 16296 on line 110 of
> "/usr/share/php5/PEAR/Horde/Registry/Loadconfig.php"]
> Jul 13 10:20:15 sonne-new HORDE[16296]: [imp] Load config file
> (backends.php; app: imp) [pid 16296 on line 110 of
> "/usr/share/php5/PEAR/Horde/Registry/Loadconfig.php"]
> Jul 13 10:20:15 sonne-new imap[25030]: accepted connection
> Jul 13 10:20:15 sonne-new HORDE[16296]: [imp] [login] Server does not
> support TLS connections. [pid 16296 on line 730 of
> "/data/home/XXXXX/public_html/horde/imp/lib/Imap.php"]
> Jul 13 10:20:15 sonne-new HORDE[16296]:  1.
> Horde_Core_Auth_Application->authenticate()
> /data/home/XXXXX/public_html/horde/login.php:155
>                                           2.
> Horde_Core_Auth_Application->authenticate()
> /usr/share/php5/PEAR/Horde/Core/Auth/Application.php:138
>                                           3.
> Horde_Auth_Base->authenticate()
> /usr/share/php5/PEAR/Horde/Core/Auth/Application.php:141
>                                           4.
> Horde_Core_Auth_Application->_authenticate()
> /usr/share/php5/PEAR/Horde/Auth/Base.php:161
>                                           5.
> Horde_Registry->callAppMethod()
> /usr/share/php5/PEAR/Horde/Core/Auth/Application.php:170
>                                           6. call_user_func_array()
> /usr/share/php5/PEAR/Horde/Registry.php:1197
>                                           7.
> IMP_Application->authAuthenticate()
>                                           8. IMP_Auth::authenticate()
> /data/home/XXXXX/public_html/horde/imp/lib/Application.php:371
>                                           9. IMP_Imap->login()
> /data/home/XXXXX/public_html/horde/imp/lib/Auth.php:86
>                                          10. IMP_Imap->__call()
> /data/home/XXXXX/public_html/horde/imp/lib/Auth.php:86
>                                          11.
> Horde_Core_Auth_Application->authenticate()
> /data/home/XXXXX/public_html/horde/login.php:155
>                                          12.
> Horde_Core_Auth_Application->authenticate()
> /usr/share/php5/PEAR/Horde/Core/Auth/Application.php:138
>                                          13.
> Horde_Auth_Base->authenticate()
> /usr/share/php5/PEAR/Horde/Core/Auth/Application.php:141
>                                          14.
> Horde_Core_Auth_Application->_authenticate()
> /usr/share/php5/PEAR/Horde/Auth/Base.php:161
>                                          15.
> Horde_Registry->callAppMethod()
> /usr/share/php5/PEAR/Horde/Core/Auth/Application.php:170
>                                          16. call_user_func_array()
> /usr/share/php5/PEAR/Horde/Registry.php:1197
>                                          17.
> IMP_Application->authAuthenticate()
>                                          18. IMP_Auth::authenticate()
> /data/home/XXXXX/public_html/horde/imp/lib/Application.php:371
>                                          19. IMP_Imap->login()
> /data/home/XXXXX/public_html/horde/imp/lib/Auth.php:86
>                                          20. IMP_Imap->__call()
> /data/home/XXXXX/public_html/horde/imp/lib/Auth.php:86
>                                          21. call_user_func_array()
> /data/home/XXXXX/public_html/horde/imp/lib/Imap.php:718
>                                          22. Horde_Imap_Client_Base->login(=
> )
>                                          23.
> Horde_Imap_Client_Socket->_login()
> /usr/share/php5/PEAR/Horde/Imap/Client/Base.php:831
> Jul 13 10:20:15 sonne-new HORDE[16296]: [imp] FAILED LOGIN for jimmo
> (X.X.X.X) to {imap://localhost/} [pid 16296 on line 157 of
> "/data/home/XXXXX/public_html/horde/imp/lib/Auth.php"]
> Jul 13 10:20:15 sonne-new HORDE[16296]: [horde] FAILED LOGIN for jimmo
> to horde (X.X.X.X) [pid 16296 on line 199 of
> "/data/home/XXXXX/public_html/horde/login.php"]
> Jul 13 10:20:15 sonne-new HORDE[16296]: [horde] Load config file
> (nls.php; app: horde) [pid 16296 on line 110 of
> "/usr/share/php5/PEAR/Horde/Registry/Loadconfig.php"]
> Jul 13 10:20:15 sonne-new HORDE[16296]: [horde] Load config file
> (motd.php; app: horde) [pid 16296 on line 110 of
> "/usr/share/php5/PEAR/Horde/Registry/Loadconfig.php"]
> Jul 13 10:20:15 sonne-new HORDE[16296]: [horde] Max memory usage:
> 8126464 bytes [pid 16296 on line 613 of
> "/usr/share/php5/PEAR/Horde/Registry.php"]
>
>
> backends.local.php currently looks like this:
>
> $servers['imap'] =3D array(
>      'disabled' =3D> 'false',
>      'name' =3D> 'myhost.mydomain.tld',
>      'hostspec' =3D> 'localhost',
>      'hordeauth' =3D> 'false',
>      'protocol' =3D> 'imap',
>      'secure' =3D> 'false',
> );
>
> For whatever reason, Horde is trying to use TLS. If you could tell me
> how to disable this, I would appreaciate it.
>

The way to configure backends.local.php is different, try:

<?php
$servers['imap']['disabled'] = false;
$servers['imap']['name'] = 'myhost.mydomain.tld';
$servers['imap']['hostspec'] = 'localhost';
$servers['imap']['hordeauth'] = false;
$servers['imap']['protocol'] = 'imap';
$servers['imap']['port'] = 143;
$servers['imap']['secure'] = 'false';

>> Your configuration: Horde -> .htpasswd, IMP -> IMAP.
>> (1*) See below.
>>
>> Can user jimmo  from ".htpasswd" login with the same credentials to  
>>  your IMAP server?
>
> Yes. See above.
>
>>
>>>
>>>>>>> In the system logs (journalctl) I see:
>>>>>>>
>>>>>>> [imp] [login] Server does not support TLS connections.
>>>>>>>
>>>>>>> That seems clear enough so after googling I changed     
>>>>>>> backends.local.php so it now looks like this:
>>>>>>>
>>>>>>> // IMAP server
>>>>>>> $servers['imap'] =3D3D array(
>>>>>>> 'disabled' =3D3D> false,
>>>>>>> 'name' =3D3D> 'localhost',
>>>>>>> 'hostspec' =3D3D> 'myhost.mydomain.'tld,
>>>>>>> 'hordeauth' =3D3D> false,
>>>>>>> 'protocol' =3D3D> 'imap',
>>>>>>> 'secure' =3D3D> 'false',
>>>>>>> );
>>>>>>
>>
>> (1*) begin
>>
>>>>>> Are you requiring your users to login separately to Email?
>>>>>
>>>>> Not intentionally. I have looked through the Horde and Imp
>>>>> confifuration and I do not find any place to require users to login
>>>>> separately to email.
>>>
>>> What I meant was *IF* Horde is somehow configured so it is "requiring
>>> your users to login separately to Email", it was unintentional on my
>>> part. I do not what a separate login. I want users to login with the
>>> basic http authentication and not have to login a second time. I have
>>> a very old system where this worked and I am trying to get the same
>>> configuration on a new system.
>>>
>>
>> (1*) end
>>
>>>>
>>>> Either you did not understand the question or I did not  
>>>> understand   what you want. If you are not going to to login  
>>>> separately to  Email,  I suggest configuring a Horde application  
>>>> (imp) to  authenticate. Go  to the "Authentication" tab and  
>>>> configure:
>>>>
>>>> $conf[auth][driver]: Let a Horde application handle authentication
>>>>
>>>> $conf[auth][params][app]: imp
>>>>
>>>> $conf[auth][admins]: "your_login"
>>>
>>> To test the configuration I tried that. I get the login prompt but
>>> cannot login.
>>>
>>> Unfortunately, I cannot do anything at all at the moment, because I
>>> cannot login at all. That is,whenj I load the Horder URL, I get the
>>> login form but cannot login. I cannot change the authentication method
>>> back to HTTP basic. I cannot find a file where this is changed. :-(
>>>
>>
>> Whenever you modify Horde configuration by web it generates   
>> conf.bak.php. Copy it to conf.php or edit it (driver)   
>> (~webmail/config/conf.php or ~horde/config/conf.php) to login to   
>> .htpasswd as before.
>
> I copied the conf.bak.php to conf.php and I still get the login
> prompt. Previously I was brought into the default app kronolith. At
> this point I am beginning to suspect that I have screwed things up to
> much and should start from scratch. :-(

Each time you modify and save Horde generates the conf.bak.php file,  
if you modify and save twice you loose the the original configuration,  
so make your own backup copy of your (even patialy) working  
configuration.

>>
>>>
>>>> (*) And that answers the question above. You are going to use Imp  
>>>>  to  authenticate against an IMAP server. As I understand, your   
>>>> users are  Mail users, not HTTP users (although they are going to  
>>>>  use a web  interface - imp - to the mail service). See below (**).
>
> As will the (very) old server, my intention is to have a single login.
> That is, the users login into server with http basic authentication
> and horde handles the rest. This worked on the old system so I was
> hoping to get it to work on the new one. I went through (hopefully)
> all of the settings on the old system and changed them using the GUI
> on the new system.
>

Once you solve IMP login problem you could use it to login only once  
to Horde as described before.

> At this point, all I want to do is get Horde to work, even with
> multiple logins. ;-}
>

Just copy conf.php.dist to conf.php, or edit conf.php, remove any  
$conf['auth'] and add:

$conf['auth']['admins'] = array('Administrator');
$conf['auth']['driver'] = 'auto';
$conf['auth']['params'] = array('username' => 'Administrator');

So you can configure Horde without login.

>>>>
>>>> Be sure that your web server uses encryption (https) and  
>>>> configure   Horde to do so:
>>>>
>>>> URL Settings * $conf[use_ssl]:
>>>
>>> Is this absolutely necessary in that this configuration will not work
>>> without it? I would like to get this running first, before I add any
>>> additional configuration.
>>>
>>
>> No, it is not necessary, wait until you are done with basic   
>> configuration and authentication.
>>
>>>>> Does it make a different if true/false are included in single-quotes?
>>>>>
>>>>>>> 'disabled' =3D3D> false,
>>>>>>> 'secure' =3D3D> 'false',
>>>>>
>>>>>>> No change. My biggest question at this point is to what  
>>>>>>> exactly   is  Horde connecting. IMAP? POP3? My assumption is  
>>>>>>> IMAP  because  of the  complete log entry:
>>>>>>
>>>>>> Yes, according to the above configuration stanza, you are    
>>>>>> connecting  to an IMAP server running on 'myhost.mydomain.tld'.  
>>>>>>   I'm assuming the  misplaced quotation mark in your stanza is  
>>>>>> a   typo, as that would  cause a parse error in PHP when loaded.
>>>>>
>>>>> Yes. That was I typo when I changed the real domain in the email.
>>>>>
>>>>>>> Jun 24 16:32:37 sonne-new HORDE[3058]: [imp] [login] Server   
>>>>>>> does   not support TLS connections. [pid 3058 on line 730 of    
>>>>>>>  "/data/home/user/public_html/horde/imp/lib/Imap.php"]
>>>>>>
>>>>>> You either need to configure your IMAP server to use TLS or    
>>>>>> disable  it in your configuration.
>>>>>
>>>>> I though that I disabled it in backends.local.php with this line:
>>>>> 'secure' =3D3D> 'false',
>>>>>
>>>>>> The password for the http authentication, the local user, are all
>>>>>>> the same. sasldblistusers2 shows the user. My question here is  
>>>>>>>   what  format the users should have:
>>>>>>> username at localhost
>>>>>>> username at hostname
>>>>>>> username at hostname.domain.tld
>>>>>>> username at domain.tld
>>>>>>
>>>>>> I am confused as to exactly what authentication backend you are  
>>>>>>    using in Horde. As far as the general question about thr  
>>>>>> format  of   the users, that depends entirely on what the  
>>>>>> authentication   backend  is expecting. There is no one right  
>>>>>> answer.
>>>>>
>>>>> What would be correct for HTTP authentication?
>>>>>
>>>>
>>>> Again, I think you did not understand the question.
>>>> (**) You should authenticate via imap that you already tested.
>>>> If you are going to use "username" or "username at ..." is up to you.
>>>
>>> Obviously I cannot use one form of the login in the sasl DB
>>> (saslpasswd2 -c) and then another form when I login. Where/how do make
>>> changes if it "is up to you"? Where exactly is Horde getting error
>>> message? From the imap server?
>>>
>>
>> Remember your configuration: Horde -> .htpasswd, IMP -> IMAP. So,   
>> IMP users will login the same way they login to your IMAP server.   
>> See below (2*).
>
> If I understand correctly, it *should* be the same credentials as when
> I do a telnet to port 143, right? This is what I am using with no luck.
>
>>>> Depending on what you want, you might need a different    
>>>> authentication backend. Just try imp to handle authentication, as  
>>>>   explained above.
>>>>
>>>>>>> The mailbopx was created using cyradm and the permissions look like =
> th=3D
>>> is:
>>>>>>> localhost.localdomain> listacl user.myuser
>>>>>>> user.myuser lrswipkxtecda
>>>>>>>
>>>>>>> I have successully tested the username using telnet to connect  
>>>>>>>  to   ports 110(POP3) and 143 (IMAP), as well as with   
>>>>>>> testsaslauthd.
>>>>>>
>>>>>> Port 143 is the TLS port for IMAP, so it seems that your server  
>>>>>>    *does* support this?
>>>>>
>>>>> Hmmmm.....Why then am I getting the error message "Server does not
>>>>> support TLS connections"?
>>>>>
>>>>
>>>> Port 143 can be used to login as plain text or with encryption.   
>>>> SASL  and TLS are not the same thing.
>>>
>>> Understood. So where exactly is Horde connecting at this point? To the
>>> imap server?
>>
>> (2*) Yes, you configured IMP to login to your IMAP server   
>> ('protocol' =3D> 'imap'). I can see an error log above stating  
>> "Server  does not support TLS connections". Increase Horde log  
>> level to debug  and maybe your IMAP log too, and try to find out  
>> what is wrong.  Provide us with some logs.
>>
>>>
>>>> Are the webserver with Horde and the imap server one the same machine?
>>> Yes. This is a single machine.
>>>
>>
>> If this is a single machine and IMP is configured to login to the   
>> local IMAP then use localhost.
>>
>> 'hostspec' =3D> 'localhost';
>>
>> Mauricio
>>
>>>>
>>>> Mauricio
>>>>
>>>>>> -- 
>>>>>> mike
>>>>>> The Horde Project
>>>>>> http://www.horde.org
>>>>>> https://www.facebook.com/hordeproject
>>>>>> https://www.twitter.com/hordeproject
>>>>>
>>>>> Regards,
>>>>> James
>>>>>
>>>>>
>>>>> -- 
>>>>> Horde mailing list
>>>>> Frequently Asked Questions: http://horde.org/faq/
>>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>>
>>>>
>>>> -- 
>>>>
>>>> Maur=3DC3=3DADcio Jos=3DC3=3DA9 T. Tecles
>>>> Instituto de Biof=3DC3=3DADsica Carlos Chagas Filho/UFRJ
>>>> Av. Carlos Chagas Filho, 373
>>>> N=3DC3=3DBAcleo de Inform=3DC3=3DA1tica
>>>> CCS, Bloco G, sala G1-006
>>>> Cidade Universit=3DC3=3DA1ria - Ilha do Fund=3DC3=3DA3o
>>>> 21941-902, Rio de Janeiro - RJ
>>>>
>>>> mtecles at biof.ufrj.br
>>>> Tel.: (21) 3938-6526 ou 3938-6544
>>>>
>>>> -- 
>>>> Horde mailing list
>>>> Frequently Asked Questions: http://horde.org/faq/
>>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>>
>>>
>>> -- 
>>> Horde mailing list
>>> Frequently Asked Questions: http://horde.org/faq/
>>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>>
>>
>> -- 
>>
>> Maur=C3=ADcio Jos=C3=A9 T. Tecles
>> Instituto de Biof=C3=ADsica Carlos Chagas Filho/UFRJ
>> Av. Carlos Chagas Filho, 373
>> N=C3=BAcleo de Inform=C3=A1tica
>> CCS, Bloco G, sala G1-006
>> Cidade Universit=C3=A1ria - Ilha do Fund=C3=A3o
>> 21941-902, Rio de Janeiro - RJ
>>
>> mtecles at biof.ufrj.br
>> Tel.: (21) 3938-6526 ou 3938-6544
>>
>> -- 
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/
>> To unsubscribe, mail: horde-unsubscribe at lists.horde.org
>
>
>
>
> -- 
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: horde-unsubscribe at lists.horde.org


-- 

Maurício José T. Tecles
Instituto de Biofísica Carlos Chagas Filho/UFRJ
Av. Carlos Chagas Filho, 373
Núcleo de Informática
CCS, Bloco G, sala G1-006
Cidade Universitária - Ilha do Fundão
21941-902, Rio de Janeiro - RJ

mtecles at biof.ufrj.br
Tel.: (21) 3938-6526 ou 3938-6544



More information about the horde mailing list