Horde login fails with "invalid credentials" after errata390




after quickly performing an upgrade yesterday to UCS 4.3-2 errata 390 (from errata 313) I am no longer able to login to horde. This is quite unfortunate, as our calendars are also in the groupware. Dovecot and Postfix still seem to work.

Dovecot shows the following:
Dez 21 09:08:21 mailserver dovecot[1364]: imap-login: Disconnected (auth failed, 2 attempts in 8 secs): user=<none>, method=PLAIN, rip=, lip=xxx.xxx.xxx.xxx, TLS, session=<...

Horde shows the following error after setting the loglevel to debug:

2018-12-21T07:56:26+00:00 DEBUG: HORDE Load config file (conf.php; app: horde) [pid 503 on line 108 of "/usr/share/php/Horde/Registry/Loadconfig.php"]
2018-12-21T07:56:26+00:00 DEBUG: HORDE [horde] Load config file (hooks.php; app: imp) [pid 503 on line 108 of "/usr/share/php/Horde/Registry/Loadconfig.php"]
2018-12-21T07:56:26+00:00 DEBUG: HORDE [horde] Hook preauthenticate in application imp called. [pid 503 on line 57 of "/usr/share/php/Horde/Core/Hooks.php"]
2018-12-21T07:56:26+00:00 WARN: HORDE [horde] PHP ERROR: ldap_bind(): Unable to bind to server: Invalid credentials [pid 503 on line 74 of "/etc/horde/imp/hooks.php"]
2018-12-21T07:56:26+00:00 DEBUG: HORDE 1. Horde_Registry->isAuthenticated() /usr/share/horde/login.php:62
2. Horde_Core_Auth_Application->transparent() /usr/share/php/Horde/Registry.php:2194
3. Horde_Core_Auth_Application->transparent() /usr/share/php/Horde/Core/Auth/Application.php:394
4. Horde_Core_Auth_Application->runHook() /usr/share/php/Horde/Core/Auth/Application.php:388
5. Horde_Core_Hooks->callHook() /usr/share/php/Horde/Core/Auth/Application.php:605
6. IMP_Hooks->preauthenticate() /usr/share/php/Horde/Core/Hooks.php:61
7. ldap_bind() /etc/horde/imp/hooks.php:74
8. Horde_ErrorHandler::errorHandler()

Which credentials are meant here? The credentials from the Horde config or the user credentials?

Inside the app container I can run univention-ldapsearch and it shows me all the information.

Any ideas how I can narrow down the problem?


Horde authentication failure

The ldap password in the container in /etc/horde/horde/conf.d/10-ucs.conf is the same as the machine password in /etc/machine.secret. For whatever reason that password was changed during the last update and not committed to the horde config. Running ucr commit 10-ucs.conf in the directory /etc/horde/horde/conf.d/ in the docker container solved the problem.


For the sake of anyone else stumbling across this issue: the discussion continues in the following thread: