[GH-ISSUE #292] Ldap contact and password strange behavior #254

New issue

Closed

opened 2026-02-25 21:34:34 +03:00 by kerem · 7 comments

kerem commented 2026-02-25 21:34:34 +03:00

Owner

Copy link

Originally created by @lesar on GitHub (Oct 15, 2018).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/292

Originally assigned to: @jasonmunro on GitHub.

I'm trying cypht and I like it a lott.

I have configured ldap module and work well. I have put user and psw in site config and not in the module ini file. I try to remove the user and psw but:

• If I put a blank empty value no change are saved.
• If I put some random letter and save change, the change are saved, but the ldap contact module still read all contact.

Is there a ldap search on the roadmap?

Best regards,
Leonardo

Originally created by @lesar on GitHub (Oct 15, 2018). Original GitHub issue: https://github.com/cypht-org/cypht/issues/292 Originally assigned to: @jasonmunro on GitHub. I'm trying cypht and I like it a lott. I have configured ldap module and work well. I have put user and psw in site config and not in the module ini file. I try to remove the user and psw but: * If I put a blank empty value no change are saved. * If I put some random letter and save change, the change are saved, but the ldap contact module still read all contact. Is there a ldap search on the roadmap? Best regards, Leonardo

kerem 2026-02-25 21:34:34 +03:00

• closed this issue
• added the
  bug
  ldap_contacts
  labels

kerem commented 2026-02-25 21:34:34 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Oct 17, 2018):

I'm trying cypht and I like it a lott.

Thanks! I appreciate your feedback.

I have configured ldap module and work well. I have put user and psw in site config and not in the module ini file. I try to remove the user and psw but:

I would not recommend doing that, but I don't think it breaks anything.

• If I put a blank empty value no change are saved.
• If I put some random letter and save change, the change are saved, but the ldap contact module still read all contact.

To clarify - you are changing the hm3.ini file to remove the user and pass values for the LDAP server, then rerunning the config_gen.php script (and logging out and back in) - and it still is able to access the LDAP contact list?

If that is correct, are you sure your LDAP server is configured to require authentication?

Is there a ldap search on the roadmap?

Not currently, but it would be a nice improvement especially for large addressbooks. I will create a new issue to track that request.

<!-- gh-comment-id:430713411 --> @jasonmunro commented on GitHub (Oct 17, 2018): > I'm trying cypht and I like it a lott. Thanks! I appreciate your feedback. > I have configured ldap module and work well. I have put user and psw in site config and not in the module ini file. I try to remove the user and psw but: I would not recommend doing that, but I don't think it breaks anything. > * If I put a blank empty value no change are saved. > * If I put some random letter and save change, the change are saved, but the ldap contact module still read all contact. To clarify - you are changing the hm3.ini file to remove the user and pass values for the LDAP server, then rerunning the config_gen.php script (and logging out and back in) - and it still is able to access the LDAP contact list? If that is correct, are you sure your LDAP server is configured to require authentication? > Is there a ldap search on the roadmap? Not currently, but it would be a nice improvement especially for large addressbooks. I will create a new issue to track that request.

kerem commented 2026-02-25 21:34:34 +03:00

Author

Owner

Copy link

@lesar commented on GitHub (Oct 18, 2018):

To clarify - you are changing the hm3.ini file to remove the user and pass values for the LDAP server, then rerunning the config_gen.php script (and logging out and back in) - and it still is able to access the LDAP contact list?

No I'm try to change this setting on http://localhost/mail/?page=settings
under Addressbooks -> Personal

In my hm3.ini I have put only the ldap_auth_base_dn and give the user and pws run time during authentication.

In ldap.ini I have not put user and pws.

If that is correct, are you sure your LDAP server is configured to require authentication?

My Ldap server is configure to require authentication: I have installed it.

Best regards,
Leonardo

<!-- gh-comment-id:430928272 --> @lesar commented on GitHub (Oct 18, 2018): >To clarify - you are changing the hm3.ini file to remove the user and pass values for the LDAP server, then rerunning the config_gen.php script (and logging out and back in) - and it still is able to access the LDAP contact list? No I'm try to change this setting on http://localhost/mail/?page=settings under `Addressbooks -> Personal` In my hm3.ini I have put only the `ldap_auth_base_dn` and give the user and pws run time during authentication. In ldap.ini I have ***not*** put user and pws. >If that is correct, are you sure your LDAP server is configured to require authentication? My Ldap server is configure to require authentication: I have installed it. Best regards, Leonardo

kerem commented 2026-02-25 21:34:34 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Oct 18, 2018):

@lesar Ok, thanks for the clarification. I will dig into that part of the code and see what is going on!

<!-- gh-comment-id:431067344 --> @jasonmunro commented on GitHub (Oct 18, 2018): @lesar Ok, thanks for the clarification. I will dig into that part of the code and see what is going on!

kerem commented 2026-02-25 21:34:34 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Oct 18, 2018):

Looks like the code is not actually using the username and password from the settings page! Because of that, we are doing an "anonymous bind" to the server. I just tested this locally and see what you are seeing. However, if you are still getting a contact list from your LDAP server that likely means you have not disabled anonymous binding, so you might want to check that. I had to apply an ldif like:

dn: olcDatabase={-1}frontend,cn=config
add: olcRequires
olcRequires: authc

Working on a fix for the username and password now.

<!-- gh-comment-id:431080129 --> @jasonmunro commented on GitHub (Oct 18, 2018): Looks like the code is not actually using the username and password from the settings page! Because of that, we are doing an "anonymous bind" to the server. I just tested this locally and see what you are seeing. However, if you are still getting a contact list from your LDAP server that likely means you have not disabled anonymous binding, so you might want to check that. I had to apply an ldif like: ``` dn: olcDatabase={-1}frontend,cn=config add: olcRequires olcRequires: authc ``` Working on a fix for the username and password now.

kerem commented 2026-02-25 21:34:34 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Oct 18, 2018):

A fix has been pushed to the master branch. Thanks for the feedback!

<!-- gh-comment-id:431090289 --> @jasonmunro commented on GitHub (Oct 18, 2018): A fix has been pushed to the master branch. Thanks for the feedback!

kerem commented 2026-02-25 21:34:34 +03:00

Author

Owner

Copy link

@lesar commented on GitHub (Oct 19, 2018):

Thank you for the fix. You are right I have anonymous binding enable: I do not know that in ubuntu is enable by default.

Now I have disable it.

To disable it I have use this ldif:

#sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/slapd/ldap_disable_bind_anon.ldif
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon

dn: cn=config
changetype: modify
add: olcRequires
olcRequires: authc

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc

<!-- gh-comment-id:431277143 --> @lesar commented on GitHub (Oct 19, 2018): Thank you for the fix. You are right I have anonymous binding enable: I do not know that in ubuntu is enable by default. Now I have disable it. To disable it I have use this ldif: ```ldif #sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /usr/share/slapd/ldap_disable_bind_anon.ldif dn: cn=config changetype: modify add: olcDisallows olcDisallows: bind_anon dn: cn=config changetype: modify add: olcRequires olcRequires: authc dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcRequires olcRequires: authc ```

kerem commented 2026-02-25 21:34:34 +03:00

Author

Owner

Copy link

@jasonmunro commented on GitHub (Oct 30, 2018):

I believe this is resolved so I'm closing this issue. Thanks for the feedback! If you are still having problems please re-open or file a new issue.

<!-- gh-comment-id:434417940 --> @jasonmunro commented on GitHub (Oct 30, 2018): I believe this is resolved so I'm closing this issue. Thanks for the feedback! If you are still having problems please re-open or file a new issue.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

2.x

mta-sts-implementation

feat-compose-backspace-delete-recipients

release-2.5.1

add-tls3-support

1.4.x

enforce-coverage

release-2.4.2

strip_dns_prefetch_tags

fix_nightly_build

pr-title-validation-update

review-sent-email

revert-1339-fixed-tags-display

revert-1061-rem-cram-md5

sys-messages-revamp

revert-685-fixed-str-pos-warning-when-no-to

revert-590-empty-settings

release-1.3.0

revert-471-draft-add-warning

revert-454-feature/server-list-by-uniqid

php7.4-support

release-1.2.0

remove-mobile-media-queries

release-1.1.0

release-1.0.0

v2.7.0

v2.6.0

v2.5.1

v2.5.0

v1.4.7

v2.4.2

v2.4.1

v1.4.6

v1.4.5

v2.4.0

v2.3.0

v2.2.0

v1.4.4

v2.1.0

v2.0.1

v1.4.3

v2.0.0

v1.4.2

v1.4.1

v1.4.0

v1.3.0

v1.3.0-rc3

v1.3.0-rc2

v1.3.0-rc1

v1.1.0

v1.1.0-rc4

v1.1.0-rc3

v1.1.0-rc2

v1.1.0-rc1

v1.0.0

v1.0.0-rc8

v1.0.0-rc7

v1.0.0-rc6

v1.0.0-rc5

v1.0.0-rc4

v1.0.0-rc3

v1.0.0-rc2

v1.0.0-rc1

Labels

Clear labels   

2fa

  

I18N

  

PGP

  

Security

  

Security

  

account

  

advanced_search

  

advanced_search

  

announcement

  

api_login

  

authentication

  

awaiting feedback

  

blocker

  

bug

  

bug

  

bug

  

calendar

  

config

  

contacts

  

core

  

core

  

devops

  

docker

  

docs

  

duplicate

  

dynamic_login

  

enhancement

  

epic

  

feature

  

feeds

  

framework

  

github

  

github

  

gmail_contacts

  

good first issue

  

help wanted

  

history

  

history

  

imap

  

imap_folders

  

inline_message

  

installation

  

keyboard_shortcuts

  

keyboard_shortcuts

  

ldap_contacts

  

mobile

  

need-ssh-access

  

new module set

  

nux

  

pop3

  

profiles

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

refactor

  

release

  

research

  

saved_searches

  

smtp

  

strategic

  

tags

  

tests

  

themes

  

website

  

wordpress

No labels

2fa

I18N

PGP

Security

Security

account

advanced_search

advanced_search

announcement

api_login

authentication

awaiting feedback

blocker

bug

bug

bug

calendar

config

contacts

core

core

devops

docker

docs

duplicate

dynamic_login

enhancement

epic

feature

feeds

framework

github

github

gmail_contacts

good first issue

help wanted

history

history

imap

imap_folders

inline_message

installation

keyboard_shortcuts

keyboard_shortcuts

ldap_contacts

mobile

need-ssh-access

new module set

nux

pop3

profiles

pull-request

question

refactor

release

research

saved_searches

smtp

strategic

tags

tests

themes

website

wordpress

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/cypht#254

No description provided.