b***@horde.org
2012-08-31 11:50:04 UTC
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/11387
------------------------------------------------------------------------------
Ticket | 11387
Updated By | Jan Schneider <***@horde.org>
Summary | horde_alarms tries always to login as first admin user
| but with an empty password
Queue | Horde Base
Version | 4.0.15
Type | Bug
-State | Unconfirmed
+State | Feedback
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
With transparent authentication, the current credentials will be used
to try to authenticate where necessary. To get administration rights
when running CLI scripts, we need to authenticate, or at least fake
authentication, as a real administrator though.
have an empty password.
I admit that this is a problem, but I don't see a proper and easy
solution to this yet. We could allow empty passwords in the
general-purpose IMAP library and catch those earlier inside
Horde-specific code, but even in Horde it might be allowed to login
with an empty password, at least via the API.
Ticket URL: http://bugs.horde.org/ticket/11387
------------------------------------------------------------------------------
Ticket | 11387
Updated By | Jan Schneider <***@horde.org>
Summary | horde_alarms tries always to login as first admin user
| but with an empty password
Queue | Horde Base
Version | 4.0.15
Type | Bug
-State | Unconfirmed
+State | Feedback
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
Each time horde_alarms runs by cron, it tries to login as the first
admin user, but with an empty, password. So we get tons of failed
logins in the logs, plus this might lead to locking the account by
the backend.
This is the expected behavior if you use transparent authentication.admin user, but with an empty, password. So we get tons of failed
logins in the logs, plus this might lead to locking the account by
the backend.
With transparent authentication, the current credentials will be used
to try to authenticate where necessary. To get administration rights
when running CLI scripts, we need to authenticate, or at least fake
authentication, as a real administrator though.
See
https://github.com/o-/horde/commit/3f916b63e59ee92611883f9e204a2d878c661c2f
for an implementation of this check.
This is not a viable solution, because it may very well be allowed tohttps://github.com/o-/horde/commit/3f916b63e59ee92611883f9e204a2d878c661c2f
for an implementation of this check.
have an empty password.
In bug #10076 it was suggested that this is a duplicated of bug
#9733, however as we are on the latest versions, this is clearly
still an issue.
Looks like those were not duplicates then.#9733, however as we are on the latest versions, this is clearly
still an issue.
I admit that this is a problem, but I don't see a proper and easy
solution to this yet. We could allow empty passwords in the
general-purpose IMAP library and catch those earlier inside
Horde-specific code, but even in Horde it might be allowed to login
with an empty password, at least via the API.
--
bugs mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: bugs-***@lists.horde.org
bugs mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: bugs-***@lists.horde.org