[horde] Virtualhost context for hooks

Nels Lindquist nlindq at maei.ca
Wed Jan 17 22:53:08 UTC 2018

Hash: SHA1

Hi, Jan.

On 2018/01/12 4:28 AM, Jan Schneider wrote:
> Zitat von Nels Lindquist <nlindq at maei.ca>:
>> Hi, Jan.
>> On 2018/01/09 2:09 PM, Jan Schneider wrote:
>>> Zitat von Nels Lindquist <nlindq at maei.ca>:
>>>> Hi there.
>>>> I'm using a preauthenticate hook to normalize login IDs
>>>> against an LDAP server.  In each virtualhost configuration
>>>> file I've defined different LDAP search bases, but my hook
>>>> functions appear to be using the root Horde search base
>>>> rather than the virtualhost's overridden configuration.
>>>> I'm referincing "global $conf" within my hook functions in
>>>> order to access $conf['auth']['params']['basedn']; should I
>>>> be incorporating something else to get the virtualhost
>>>> overrides?
>>> No. But you didnt explain how exactly your setup looks like.
>>> And how about vhost-specific settings used anywhere else than 
>>> hooks.php.
>> I have Horde Groupware Webmail Edition 5.2.22 installed.  IMP is 
>> configured to connect to Cyrus IMAPD on the local host. 
>> Authentication is through LDAP, using OpenLDAP as the backend.
>> I'm using vhost-specific settings to define a different
>> database, administrator ID, cache prfix and authentication base
>> DN for each domain, as well as default mail domain (for imp) and
>> different LDAP base DNs for each vhost's turba shared directory.
>> Note that I'm using a common hooks.php file for all virtual
>> domains since it's the same function performing the normalization
>> regardless. Should there be vhost-specific hooks-*.php files as
>> well?
> No, you should indeed have a single hooks.php file only, and make
> any necessary vhost distinctions inside your hook code.

Okay; sounds like I'm "doing it right".

I assumed the vhost distinctions would come in through the global
$conf depending on which virtualhost is calling the hook.

Thinking about it more, the problem may not be with my hook, which I'm
using to canonicalize userids into lower-case e-mail addresses.  If
the user enters a bare username, it uses the vhost-specific LDAP
configuration to perform a lookup and retrieve the associated mail
attribute, which it returns as the replacement userId.

The problem arises when someone uses an e-mail address for the userid
which isn't part of the current vhost domain; my hook does some sanity
checking for the userid format and if it's a valid e-mail address, it
returns true so the userId is unmodified.  However, if the e-mail
address is part of another vhost then the authentication will still
work, implying that authentication is happening in the base context
rather than a vhost context.

I should probably verify that an entered e-mail address is part of the
current vhost context; I'm assuming I could pull in the virtual
hostname from the global $vhost variable, since it's not explicitly
defined in any of the conf*.php files?

- ----
Nels Lindquist
<nlindq at maei.ca>
Version: GnuPG v2


More information about the horde mailing list