starred/cypht

Fork 0

mirror of https://github.com/cypht-org/cypht.git synced 2026-04-25 04:56:03 +03:00

[GH-ISSUE #290] auth question #252

New issue

Closed

opened 2026-02-25 21:34:33 +03:00 by kerem · 5 comments

kerem commented

2026-02-25 21:34:33 +03:00

Owner

Originally created by @lesar on GitHub (Oct 11, 2018).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/290

Originally assigned to: @jasonmunro on GitHub.

Premise

I have an local openldap server successfully installed on my ubuntu 16.04 desktop 64bit.

in hm3.ini I have choose LDAP auth_type and ldap_auth_base_dn="ou=mail-accounts,dc=uffalg,dc=net"
in this base I have put an inetOrgPerson using this attribute:
uid name and
userPassword set by SSHA of my psw.

I have configured Cypht using this config file:
sudo vim /etc/apache2/sites-enabled/cypht.conf

Alias /mail /usr/local/share/cypht/site

<Directory /usr/local/share/cypht/site>
        Options FollowSymLinks
        DirectoryIndex index.php
        Require all granted
        AllowOverride All
        Options +Indexes +FollowSymLinks

        <IfModule mod_php.c>
                AddType application/x-httpd-php .php

                php_flag magic_quotes_gpc Off
                php_flag track_vars On
                php_flag register_globals Off
                php_value include_path .
        </IfModule>
</Directory>

Alias /mail-debug /usr/local/share/cypht

<Directory /usr/local/share/cypht>
        Options FollowSymLinks
        DirectoryIndex index.php
        Require all granted
        AllowOverride All
        Options +Indexes +FollowSymLinks

        <IfModule mod_php.c>
                AddType application/x-httpd-php .php

                php_flag magic_quotes_gpc Off
                php_flag track_vars On
                php_flag register_globals Off
                php_value include_path .
        </IfModule>
</Directory>

I use http://localhost/mail-debug/ to see the site and it show with no error.
I cannot login using user name and password stored in my inetOrgPerson:
no error but say Nome utente o password errati (in italy lg)

Questions

What can I do to let me login?
Have I do some configuration error?
Is my ldap data wrong?
How can Cypht read ldap data if I have not give it an authorized dn user and psw?
There is in some place to put this data?

forgive my confusion
best regards,
Leonardo

Originally created by @lesar on GitHub (Oct 11, 2018). Original GitHub issue: https://github.com/cypht-org/cypht/issues/290 Originally assigned to: @jasonmunro on GitHub. ### Premise I have an local openldap server successfully installed on my ubuntu 16.04 desktop 64bit. in hm3.ini I have choose LDAP auth_type and `ldap_auth_base_dn="ou=mail-accounts,dc=uffalg,dc=net"` in this base I have put an inetOrgPerson using this attribute: `uid` name and `userPassword` set by SSHA of my psw. I have configured Cypht using this config file: sudo vim /etc/apache2/sites-enabled/cypht.conf ``` Alias /mail /usr/local/share/cypht/site <Directory /usr/local/share/cypht/site> Options FollowSymLinks DirectoryIndex index.php Require all granted AllowOverride All Options +Indexes +FollowSymLinks <IfModule mod_php.c> AddType application/x-httpd-php .php php_flag magic_quotes_gpc Off php_flag track_vars On php_flag register_globals Off php_value include_path . </IfModule> </Directory> Alias /mail-debug /usr/local/share/cypht <Directory /usr/local/share/cypht> Options FollowSymLinks DirectoryIndex index.php Require all granted AllowOverride All Options +Indexes +FollowSymLinks <IfModule mod_php.c> AddType application/x-httpd-php .php php_flag magic_quotes_gpc Off php_flag track_vars On php_flag register_globals Off php_value include_path . </IfModule> </Directory> ``` I use http://localhost/mail-debug/ to see the site and it show with no error. I cannot login using user name and password stored in my inetOrgPerson: no error but say `Nome utente o password errati` (in italy lg) ### Questions What can I do to let me login? Have I do some configuration error? Is my ldap data wrong? How can Cypht read ldap data if I have not give it an authorized dn user and psw? There is in some place to put this data? forgive my confusion best regards, Leonardo

kerem

2026-02-25 21:34:33 +03:00

closed this issue
added the
question

authentication
labels

kerem commented

2026-02-25 21:34:33 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 11, 2018):

Hi @lesar thanks for the feedback. LDAP Authentication works by using the username and password supplied to Cypht to attempt to login (or "bind" as they say) to the LDAP server, so to use LDAP authentication your intorgperson entries need to be able to login to the LDAP server itself. At this time we don't support using the LDAP server as a source to lookup usernames and compare passwords.

@jasonmunro commented on GitHub (Oct 11, 2018): Hi @lesar thanks for the feedback. LDAP Authentication works by using the username and password supplied to Cypht to attempt to login (or "bind" as they say) to the LDAP server, so to use LDAP authentication your intorgperson entries need to be able to login to the LDAP server itself. At this time we don't support using the LDAP server as a source to lookup usernames and compare passwords.

kerem commented

2026-02-25 21:34:33 +03:00

Author

Owner

@lesar commented on GitHub (Oct 11, 2018):

Thank @jasonmunro for your answer.

I have supposed that the LDAP authentication works like DB authentication on similar mail client.

I have change the base ldap_auth_base_dn="dc=uffalg,dc=net" and run config_gen.php and restart apache. After this I try to login using the server ldap admin user and his password but can't login.

Can you explain me how Cypht ldap authentication work?

Can you write an hm3.ini example ldap configuration explain what data Cypht expect to be in ldap database?

I have supposed that passed user login give to the user access to his login data (mail-server, mail-user, mail-psw, ...) so Cypht can open all user login account to show mail.

best regards,
Leonardo

@lesar commented on GitHub (Oct 11, 2018): Thank @jasonmunro for your answer. I have supposed that the LDAP authentication works like DB authentication on similar mail client. I have change the base `ldap_auth_base_dn="dc=uffalg,dc=net"` and run `config_gen.php` and restart apache. After this I try to login using the server ldap admin user and his password but can't login. Can you explain me how Cypht ldap authentication work? Can you write an hm3.ini example ldap configuration explain what data Cypht expect to be in ldap database? I have supposed that passed user login give to the user access to his login data (mail-server, mail-user, mail-psw, ...) so Cypht can open all user login account to show mail. best regards, Leonardo

kerem commented

2026-02-25 21:34:33 +03:00

Author

Owner

@jasonmunro commented on GitHub (Oct 11, 2018):

I have change the base ldap_auth_base_dn="dc=uffalg,dc=net" and run config_gen.php and restart apache. After this I try to login using the server ldap admin user and his password but can't login.

Can you explain me how Cypht ldap authentication work?

All Cypht does is uses the base dn as defined, and attempts to bind to the LDAP server with the username and password you login with. If the binding works, you should be logged into Cypht. To troubleshoot this, you should try logging in with debug mode enabled and look in the PHP/webserver error log for clues. Failed logins output useful information when in debug mode so that should help narrow down the issue.

Can you write an hm3.ini example ldap configuration explain what data Cypht expect to be in ldap database?

Cypht does not actually use anything from the LDAP database, it merely tries to bind with the user and password supplied for authentication.

I have supposed that passed user login give to the user access to his login data (mail-server, mail-user, mail-psw, ...) so Cypht can open all user login account to show mail.

Currently we don't support using LDAP as a source for mail server information, sorry about that. We support using LDAP as a contact store, and for authentication as described above.

Typically sites that use LDAP as a single source for authentication have both the IMAP server and the SMTP server authenticating to it. If that is true in your case, I would recommend configuring Cypht to use IMAP authentication. In that scenario Cypht authenticates to the IMAP server, which in turn uses LDAP to verify the user and password. This will also cause Cypht to automatically add that IMAP server to the user's list of accounts inside Cypht.

@jasonmunro commented on GitHub (Oct 11, 2018): > I have change the base ldap_auth_base_dn="dc=uffalg,dc=net" and run config_gen.php and restart apache. After this I try to login using the server ldap admin user and his password but can't login. > Can you explain me how Cypht ldap authentication work? All Cypht does is uses the base dn as defined, and attempts to bind to the LDAP server with the username and password you login with. If the binding works, you should be logged into Cypht. To troubleshoot this, you should try logging in with debug mode enabled and look in the PHP/webserver error log for clues. Failed logins output useful information when in debug mode so that should help narrow down the issue. > Can you write an hm3.ini example ldap configuration explain what data Cypht expect to be in ldap database? Cypht does not actually use anything from the LDAP database, it merely tries to bind with the user and password supplied for authentication. > I have supposed that passed user login give to the user access to his login data (mail-server, mail-user, mail-psw, ...) so Cypht can open all user login account to show mail. Currently we don't support using LDAP as a source for mail server information, sorry about that. We support using LDAP as a contact store, and for authentication as described above. Typically sites that use LDAP as a single source for authentication have both the IMAP server and the SMTP server authenticating to it. If that is true in your case, I would recommend configuring Cypht to use IMAP authentication. In that scenario Cypht authenticates to the IMAP server, which in turn uses LDAP to verify the user and password. This will also cause Cypht to automatically add that IMAP server to the user's list of accounts inside Cypht.

kerem commented

2026-02-25 21:34:33 +03:00

Author

Owner

@lesar commented on GitHub (Oct 12, 2018):

Tanks @jasonmunro,
I actually have no error in debug mode on display and this error on apache error.log:

[Fri Oct 12 09:50:48.860009 2018] [:error] [pid 12618] [client 127.0.0.1:52018] 
Array\n(\n
    [0] => Using Hm_PHP_Session with Hm_Auth_LDAP\n
    [1] => Using file based user configuration\n
    [2] => Using sapi: apache2handler\n
    [3] => Request type: HTTP\n
    [4] => Request path: /mail-debug/\n
    [5] => TLS request: 0\n
    [6] => Mobile request: 0\n
    [7] => Page ID: home\n
    [8] => Deleting cookie: name: hm_msgs, lifetime: 1539327048, path: /mail-debug/, domain: localhost, secure: , html_only 1\n
    [9] => TRANSLATION NOT FOUND :Cypht:\n
    [10] => TRANSLATION NOT FOUND :You need to have Javascript enabled to use %s, sorry about that!:\n
    [11] => PHP version 7.0.32-0ubuntu0.16.04.1\n
    [12] => Zend version 3.0.0\n
    [13] => Peak Memory: 2048\n
    [14] => PID: 12618\n
    [15] => Included files: 66\n
)\n
, referer: http://localhost/mail-debug/

I am using php-fpm and in my php.ini have:
sudo cat /etc/php/7.0/fpm/php.ini | grep -v ";" | grep error

error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
display_errors = On
display_startup_errors = Off
log_errors = On
log_errors_max_len = 1024
ignore_repeated_errors = Off
track_errors = Off
html_errors = On
error_log = php_errors.log

regards,
Leonardo

@lesar commented on GitHub (Oct 12, 2018): Tanks @jasonmunro, I actually have no error in debug mode on display and this error on apache error.log: ``` [Fri Oct 12 09:50:48.860009 2018] [:error] [pid 12618] [client 127.0.0.1:52018] Array\n(\n [0] => Using Hm_PHP_Session with Hm_Auth_LDAP\n [1] => Using file based user configuration\n [2] => Using sapi: apache2handler\n [3] => Request type: HTTP\n [4] => Request path: /mail-debug/\n [5] => TLS request: 0\n [6] => Mobile request: 0\n [7] => Page ID: home\n [8] => Deleting cookie: name: hm_msgs, lifetime: 1539327048, path: /mail-debug/, domain: localhost, secure: , html_only 1\n [9] => TRANSLATION NOT FOUND :Cypht:\n [10] => TRANSLATION NOT FOUND :You need to have Javascript enabled to use %s, sorry about that!:\n [11] => PHP version 7.0.32-0ubuntu0.16.04.1\n [12] => Zend version 3.0.0\n [13] => Peak Memory: 2048\n [14] => PID: 12618\n [15] => Included files: 66\n )\n , referer: http://localhost/mail-debug/ ``` I am using php-fpm and in my php.ini have: `sudo cat /etc/php/7.0/fpm/php.ini | grep -v ";" | grep error` ``` error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT display_errors = On display_startup_errors = Off log_errors = On log_errors_max_len = 1024 ignore_repeated_errors = Off track_errors = Off html_errors = On error_log = php_errors.log ``` regards, Leonardo

kerem commented

2026-02-25 21:34:34 +03:00

Author

Owner

@lesar commented on GitHub (Oct 12, 2018):

Stop I have solved:
Looking in your code I notice in auth.php line 337:
$user = sprintf('cn=%s,%s', $user, $base_dn);
I in my login have use the full user DN and not only the user name. sorry.

Using only the name it work.

best regards,
Leonardo

@lesar commented on GitHub (Oct 12, 2018): Stop I have solved: Looking in your code I notice in [auth.php](https://github.com/jasonmunro/cypht/blob/master/lib/auth.php) line 337: `$user = sprintf('cn=%s,%s', $user, $base_dn);` I in my login have use the full user DN and not only the user name. sorry. Using only the name it work. best regards, Leonardo