[horde] Virtualhost context for hooks
Nels Lindquist
nlindq at maei.ca
Wed Jan 17 22:53:08 UTC 2018
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi, Jan.
On 2018/01/12 4:28 AM, Jan Schneider wrote:
>
> Zitat von Nels Lindquist <nlindq at maei.ca>:
>
>> Hi, Jan.
>>
>> On 2018/01/09 2:09 PM, Jan Schneider wrote:
>>>
>>> Zitat von Nels Lindquist <nlindq at maei.ca>:
>>>
>>>> Hi there.
>>>>
>>>> I'm using a preauthenticate hook to normalize login IDs
>>>> against an LDAP server. In each virtualhost configuration
>>>> file I've defined different LDAP search bases, but my hook
>>>> functions appear to be using the root Horde search base
>>>> rather than the virtualhost's overridden configuration.
>>>>
>>>> I'm referincing "global $conf" within my hook functions in
>>>> order to access $conf['auth']['params']['basedn']; should I
>>>> be incorporating something else to get the virtualhost
>>>> overrides?
>>>
>>> No. But you didnt explain how exactly your setup looks like.
>>> And how about vhost-specific settings used anywhere else than
>>> hooks.php.
>>
>> I have Horde Groupware Webmail Edition 5.2.22 installed. IMP is
>> configured to connect to Cyrus IMAPD on the local host.
>> Authentication is through LDAP, using OpenLDAP as the backend.
>>
>> I'm using vhost-specific settings to define a different
>> database, administrator ID, cache prfix and authentication base
>> DN for each domain, as well as default mail domain (for imp) and
>> different LDAP base DNs for each vhost's turba shared directory.
>>
>> Note that I'm using a common hooks.php file for all virtual
>> domains since it's the same function performing the normalization
>> regardless. Should there be vhost-specific hooks-*.php files as
>> well?
>
> No, you should indeed have a single hooks.php file only, and make
> any necessary vhost distinctions inside your hook code.
Okay; sounds like I'm "doing it right".
I assumed the vhost distinctions would come in through the global
$conf depending on which virtualhost is calling the hook.
Thinking about it more, the problem may not be with my hook, which I'm
using to canonicalize userids into lower-case e-mail addresses. If
the user enters a bare username, it uses the vhost-specific LDAP
configuration to perform a lookup and retrieve the associated mail
attribute, which it returns as the replacement userId.
The problem arises when someone uses an e-mail address for the userid
which isn't part of the current vhost domain; my hook does some sanity
checking for the userid format and if it's a valid e-mail address, it
returns true so the userId is unmodified. However, if the e-mail
address is part of another vhost then the authentication will still
work, implying that authentication is happening in the base context
rather than a vhost context.
I should probably verify that an entered e-mail address is part of the
current vhost context; I'm assuming I could pull in the virtual
hostname from the global $vhost variable, since it's not explicitly
defined in any of the conf*.php files?
- ----
Nels Lindquist
<nlindq at maei.ca>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlpf09QACgkQh6z5POoOLgRMigCfQq3CQPuVF522WDBa6ibRaXyi
ckQAmwb9FngB+WQsh4SSUyMoxJAMfc2D
=kzrr
-----END PGP SIGNATURE-----
More information about the horde
mailing list