Horde login fails with "invalid credentials" after errata390

crbble · December 21, 2018, 8:15am

Hello,

after quickly performing an upgrade yesterday to UCS 4.3-2 errata 390 (from errata 313) I am no longer able to login to horde. This is quite unfortunate, as our calendars are also in the groupware. Dovecot and Postfix still seem to work.

Dovecot shows the following:
Dez 21 09:08:21 mailserver dovecot[1364]: imap-login: Disconnected (auth failed, 2 attempts in 8 secs): user=<none>, method=PLAIN, rip=172.17.0.1, lip=xxx.xxx.xxx.xxx, TLS, session=<...

Horde shows the following error after setting the loglevel to debug:

2018-12-21T07:56:26+00:00 DEBUG: HORDE Load config file (conf.php; app: horde) [pid 503 on line 108 of "/usr/share/php/Horde/Registry/Loadconfig.php"]
2018-12-21T07:56:26+00:00 DEBUG: HORDE [horde] Load config file (hooks.php; app: imp) [pid 503 on line 108 of "/usr/share/php/Horde/Registry/Loadconfig.php"]
2018-12-21T07:56:26+00:00 DEBUG: HORDE [horde] Hook preauthenticate in application imp called. [pid 503 on line 57 of "/usr/share/php/Horde/Core/Hooks.php"]
2018-12-21T07:56:26+00:00 WARN: HORDE [horde] PHP ERROR: ldap_bind(): Unable to bind to server: Invalid credentials [pid 503 on line 74 of "/etc/horde/imp/hooks.php"]
2018-12-21T07:56:26+00:00 DEBUG: HORDE 1. Horde_Registry->isAuthenticated() /usr/share/horde/login.php:62
2. Horde_Core_Auth_Application->transparent() /usr/share/php/Horde/Registry.php:2194
3. Horde_Core_Auth_Application->transparent() /usr/share/php/Horde/Core/Auth/Application.php:394
4. Horde_Core_Auth_Application->runHook() /usr/share/php/Horde/Core/Auth/Application.php:388
5. Horde_Core_Hooks->callHook() /usr/share/php/Horde/Core/Auth/Application.php:605
6. IMP_Hooks->preauthenticate() /usr/share/php/Horde/Core/Hooks.php:61
7. ldap_bind() /etc/horde/imp/hooks.php:74
8. Horde_ErrorHandler::errorHandler()

Which credentials are meant here? The credentials from the Horde config or the user credentials?

Inside the app container I can run univention-ldapsearch and it shows me all the information.

Any ideas how I can narrow down the problem?

Thanks,
Robert

crbble · December 21, 2018, 8:53am

The ldap password in the container in /etc/horde/horde/conf.d/10-ucs.conf is the same as the machine password in /etc/machine.secret. For whatever reason that password was changed during the last update and not committed to the horde config. Running ucr commit 10-ucs.conf in the directory /etc/horde/horde/conf.d/ in the docker container solved the problem.

Moritz_Bunkus · January 17, 2019, 1:11pm

For the sake of anyone else stumbling across this issue: the discussion continues in the following thread:

ami · October 10, 2019, 12:06pm

Hello, we had the same problem and could solve it the same way. Thank you for your hints!

My question: Will changes (i.e. cron tasks) inside the horde-docker get lost after an horde/docker update?

Background: I created a cron task to execute “ucs commit /etc/horde/horde/conf.d/10-ucs.php” every day in the morning to prevent this login problem in case a new machine secret is generated.

I have three different UCS servers as domain masters for three different domains, all have the same horde login problem and all could be fixed with the ucr commit.

Is there a better way to fix this problem?

Moritz_Bunkus · October 10, 2019, 12:14pm

Yes. Don’t modify container content.

Sure, execute the cron job on the Docker host & use Docker’s exec sub-command to run the command inside the container:

docker exec -ti $(ucr get appcenter/apps/horde/container) /usr/sbin/ucr commit …

Note that I don’t have Horde installed at the moment. The name of the Horde app’s UCR variables might not be appcenter/apps/horde/…. Check with univention-app info.

Note that there has been some activity in the corresponding bug recently.