[horde] Horde + Radius + IMP autologin/preauthenticate hook

Rick Romero rick at havokmon.com
Sun Jul 23 15:26:05 UTC 2017 

  Yeah, I'm stupid - this works just fine when:

  - hordeauth=true (not full)
  - No switch/case in imp preauth hook
  - change the session id to not conflict with prod
  - clear browser cookies
 
The last two are the most important.

Quoting Rick Romero <rick at havokmon.com>:

> Ok, I'm stuck. 
>
> This is what I have - 
> 1. User authenticates to RADIUS. This is done in Horde - this works  
> (and works with PrivacyIdea OTP).
> 2. IMP backends.local.php hordeauth is set to 'full' (usernames are  
> email addresses).
> 3. imp/config/hooks.php:   has transparent type set and hardcodes a  
> masterpassword (to account for OTP expirations)
>     public function preauthenticate($userId, $credentials)
>           {
>               switch ($credentials['authMethod']) {
>                  case 'transparent':
>                           $credentials['server'] = 'server_' .  
> substr($userId, 0, 1);
>                            return array(
>                                 'credentials' => array(
>                                         'password' => 'masterpassword',
>                                         'transparent' => true
>                                 ),
>                                 'userId' => $userId
>                            );
>
>                           return true;
>           }
> This works.  It works great.  I'm happy.
>
> But here's the rub - this only works on the local subnet.  If I  
> connect from the internet, it fails.  Logs show:
>
> Jul 12 19:05:48 beta HORDE5: [horde] Login success for  
> rick at havokmon.com to horde (107.136.144.230) [pid 2626 on line 163  
> of "/usr/share/horde/login.php"]
> Jul 12 19:05:50 beta HORDE5: [imp] [login] Mail server denied  
> authentication. [pid 2662 on line 730 of  
> "/usr/share/horde/imp/lib/Imap.php"]
> Jul 12 19:05:50 beta HORDE5: Guest user is not authorized for Mail  
> (Host: 107-136-144-230.lightspeed.milwwi.sbcglobal.net). [pid 2662  
> on line 324 of "/usr/share/php/Horde/Registry.php"]
>
> But IMAP is NOT failing - logs show success. It's something internal  
> to Horde.
>
> I can force this to begin to work if I start creating Permissions  
> for each app, and provide 'Guest' with full permissions.  This is  
> what I'm finding as other's solutions as well. I'm concerned with  
> doing this, all I want to do is set a master password for IMPs IMAP  
> authentication because the stored OTP password is going to expire  
> after use.  Creating a whole set of permissions for 'Guest' (when  
> Horde auth worked, I don't really think the user is a 'Guest') seems  
> like overkill.  Especially because a local subnet login has no  
> problems.  I don't have horde/conf.php blocks= or safe_ips= set to  
> anything.
>
> I must have missed something else - what did I miss?
>
> Thanks,
> Rick
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,  
> mail: horde-unsubscribe at lists.horde.org

More information about the horde mailing list