mirror of
https://github.com/cypht-org/cypht.git
synced 2026-04-25 04:56:03 +03:00
[GH-ISSUE #97] LDAP contact support #78
Labels
No labels
2fa
I18N
PGP
Security
Security
account
advanced_search
advanced_search
announcement
api_login
authentication
awaiting feedback
blocker
bug
bug
bug
calendar
config
contacts
core
core
devops
docker
docs
duplicate
dynamic_login
enhancement
epic
feature
feeds
framework
github
github
gmail_contacts
good first issue
help wanted
history
history
imap
imap_folders
inline_message
installation
keyboard_shortcuts
keyboard_shortcuts
ldap_contacts
mobile
need-ssh-access
new module set
nux
pop3
profiles
pull-request
question
refactor
release
research
saved_searches
smtp
strategic
tags
tests
themes
website
wordpress
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
starred/cypht#78
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @jasonmunro on GitHub (Jul 14, 2016).
Original GitHub issue: https://github.com/cypht-org/cypht/issues/97
Originally assigned to: @jasonmunro on GitHub.
Add support to the contacts module to allow remote read-only addresses from an LDAP server. This will require an ini file for the LDAP server configuration details.
@chlarsen commented on GitHub (Jul 14, 2016):
Thank you so much for that, Jason.
Actually, squinting at RoundCubeMail's functionality in the respect, it may make sense to have read AND write access to the LDAP address book, in line with permissions set in the OpenLDAP configuration. This way, we can have a centrally controlled "corporate" address book as well as private, editable one for each user, all in OpenLDAP. (This can then work well with LDAP-based knowledge management systems, and such, and Cypht would be a possible private address book management tool.)
Thoughts? Thanks a lot, indeed,
Chris
@jasonmunro commented on GitHub (Jul 14, 2016):
Makes perfect sense :) For a first step, I'm building read-only support in a similar way we get access to gmail contacts. After that I will address the ability to add/edit/delete (hopefully in a way that facilitates other remote contact store editing). Also this way you can test the read-only bits first to make sure I'm on the right track. I already have raw read-only access coded locally, I just need to parse the results and shove them in the local contact store code and they should be available!
One thing to note, the Cypht contact module has local contacts, and currently it's not configurable (you can disable all contacts, but not just the local contacts. If your intent is to use ldap to replace that, I might need to add the ability to disable local contact management).
@jasonmunro commented on GitHub (Jul 14, 2016):
Another thought - contacts currently are VERY simple, just a display name, E-mail address, and phone number. I'm assuming if we are going to support a robust contact storage mech like LDAP, we will need to expand that to other fields. I'm curious if you have a list of fields you would like to see supported?
@jasonmunro commented on GitHub (Jul 14, 2016):
Well, here is a good start! Very simple LDAP based read-only contact support:
github.com/jasonmunro/hm3@a344adfa78This requires that a ldap.ini file be configured and placed in the "app path". More info about setting module specific ini files can be found in section 6 here:
https://cypht.org/install.html
Currently we only support anonymous bind or using hard coded values - these are not tied to a user account, so that will be something additional to add. If you get a chance to test this out, it would be greatly appreciated!
@chlarsen commented on GitHub (Jul 15, 2016):
Dear Jason,
Thanks a lot, indeed! I will test asap - will be out of the reach of the Gods of the Internet intermittently.
Just a thought: Woud it make sense to let OpenLDAP "dictate" whether address book trees are r/o or rw? Going further: Would it be possible to actually make OpenLDAP throw a list of address book fields at us, form where the user can select those that s/he wants to use (ro mode) or populate (r/w mode)? This would be more useful than hardcoding fields - you know how flexible OpenLDAP directories can be!
More soonest - and thank you very much!
Chris
@dumblob commented on GitHub (Jul 15, 2016):
This sound like the best idea (among other things completely avoding future maintenance of a hard-coded list of fields).
@jasonmunro commented on GitHub (Jul 15, 2016):
I agree that it sounds like a great idea, but there are some complications with that approach:
I think building forms around the inetOrgPerson schema (https://tools.ietf.org/html/rfc2798) is the best way to go for now. This appears to be pretty standard for addressbook entries (it also appears to be what roundcube uses).
@chlarsen commented on GitHub (Jul 16, 2016):
Dear Jason,
Thanks a lot for your comments; sorry for my sluggish reply. Some
thoughts how we might solve this catch-22:
inetPrgPerson schema is a perfect default.
I have the following schema activated: inetOrgPerson, qmailUser for
(guess what) Qmail users, extensibleObject for security questions. I use
Self Service Password from the LDAP Tool Box, which allows to have this
security question feature:
http://ltb-project.org/wiki/documentation/self-service-password. This is
necessary to accommodate those users that do not have an e-mail
account... The qmailUser schema allows to set quota, Maildirs, etc -
useful for mail admins and NOT required to be accessible from within the
webmail client, but also aliases - something useful at the end user
level. Other mail servers may require extra schemes possibly...
What do you think?
Have a great weekend,
Chris
On 15/07/16 19:56, Jason Munro wrote:
@dumblob commented on GitHub (Jul 16, 2016):
@jasonmunro good points, I'll try to mention some of my findings.
personobjects; edit existing fields; no adding of object fields; no add/copy/remove on other types of objects, no addition of unspecified new objects, nothing...).@dumblob commented on GitHub (Jul 16, 2016):
Overview of usual schemas in LDAP: http://www.zytrax.com/books/ldap/ch3/#schemas . It's probably not standardized (I didn't check it), but seems to be widespread.
@chlarsen commented on GitHub (Jul 16, 2016):
Thanks a lot, Jason.
A good way to get this going may well be to just start implementing the
inetOrgPerson scheme. Looking at the faclitiies offered by SquirrelMail
and other "old hands", alias display (r/o records) or management (r/w
management) is not a bad thing to find in a webmail client. Quota
display is, of course great, but can be done via IMAP. We can always
expand features, once usability of a core set of features has been
experienced.
Having said this, I have not even had a chance to try your r/o version,
because internet is atrocious. Will, of course, do asap. Apologies
therefore for my entirely theoretical remarks!
BTW, the link you sent on usual LDAP schemas looks pretty much standard
and familiar - great stuff to use as reference.
Thanks a lot!
Chris
On 16/07/16 16:44, dumblob wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Na
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Jul 17, 2016):
@chlarsen and @dumblob, thanks for the great feedback! I have a plan to move forward with this.
First thing I'm going to do, is split the contacts module set up. There will be a contact module set, and module set "backends" that can be enabled. The contacts set will only setup the pages and menu entries, and enabled backend sets will populate the contacts for these views/features. All the backends can be enabled at once, or just the ones you want (but at least one needs to be enabled). The breakdown of module sets will be:
contacts
local_contacts
gmail_contacts
ldap_contacts
For the ldap_contacts backend I'm going to build simple management stuff around the intorgperson schema, but in such a way that it will be easy to customize. One of the goals of the module set system is to be able to modify the behavior of the program without having to hack any existing code, so I'm going to leverage this for custom contact fields. This design will give us pretty standard support out of the box, but also mirror the flexibility of ldap by making it easy to add/remove fields from entries.
We also need to add support for per user binding, and multiple ldap sources, but that will come after the basic management features, and shouldn't be too hard to add if I build the rest properly :)
@chlarsen commented on GitHub (Jul 18, 2016):
Dear Jason,
Thank you again for your mail. Modular approach - terrific! This would
actually enable us to go one (very popular) step further, time and
resources permitting:
contacts
local_contacts
gmail_contacts (am staying away form that one given the sensitivity of
health-related records)
ldap_contacts
CardDAV_contacts (I am using radicale presently, but may have to go for
sth easier to the eye for non-suspecting sub-admins :-) )
Of course, all of this step by step, but I have become a friend of
DAVDroid on my Android phone, as I could actually do away with Dr Google
completely that way...
Thoughts?
A huge thank you from Nairobi!
Chris
On 17/07/16 21:45, Jason Munro wrote:
@jasonmunro commented on GitHub (Jul 18, 2016):
Phase 1 of splitting the contacts module set up is mostly done. I still need to tweak the local contact management features to play nice with other contact backends that will have editing enabled, but it's a good start. We can now disable/enable local/gmail/ldap contacts independently of each other.
@chlarsen commented on GitHub (Jul 19, 2016):
Absolutely terrific. Thank you!
Chris
On 19/07/16 00:44, Jason Munro wrote:
@jasonmunro commented on GitHub (Jul 21, 2016):
UPDATE: multiple back end editing issues are fixed, and I just used the code to add an LDAP contact! WOOT! I still need to finish editing and deleting,but it's getting closer!
@chlarsen commented on GitHub (Jul 21, 2016):
GREEEEAT!!!!!
@jasonmunro commented on GitHub (Jul 21, 2016):
Initial versions of delete and edit contact are done!
There is definitely more to test/tweak, but so far so good :). Next I will add support for adding from the message view, just like for local contacts (I already updated the UI, but there is no process to actually do the add from that context yet), then I need to test the field set in the form to make sure I didn't typo anything (and update the HTML elements to more specific types than just "text" for fields that are more restricted). After that, the last thing is expanding support for more than one LDAP store and to tie the user login to the bind process.
As for customizing, I built the form from individual modules for each field, so using the "site" module set, you can disable any fields you don't want (or add one that does not exist). If you need to muck around with field names because of differences in schema, there is a single module that takes the add/edit form data and coerces into an LDAP entry. This too can be overridden in the site module set to tweak any of the field names (and would need to be overridden if new fields are added).
@jasonmunro commented on GitHub (Jul 21, 2016):
So to summarize the customization options:
This makes it possible to customize the add/edit form for a specific setup without having to modify any core code. It's not super simple like creating an array, you will need to create some site specific code, but it's also not too difficult. This is one of the big reasons the module system is designed the way it is. it's not unlike the way django manages middleware, if anyone is familiar with that, though even more powerful in some respects since it applies to the entire application and not just middleware functionality.
@dumblob commented on GitHub (Jul 22, 2016):
Great news! Once I have an access to some LDAP server (hm, maybe I should run it myself), I'm happy to test it.
@chlarsen commented on GitHub (Jul 22, 2016):
Dear Jason,
I am swamped by work presently, but will install and test asap. It is
actually part of the installation work here :-).
Kindly bear with me! Huge thanks!
Chris
On 22/07/16 09:44, dumblob wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Jul 27, 2016):
Chris,
No worries about the time frame. Whenever you get a chance to test is great. In the meantime I am continuing to add features! :) Yesterday I added a flag to set the ldap backend as read-only/read-write, and I moved the objectclass definition to the ini file for easier customization. I have 2 things left to do (that I know of):
Thanks
@jasonmunro commented on GitHub (Jul 27, 2016):
Multiple LDAP backend support is committed, and I added some comments to the ldap.ini file to explain the options (though they are pretty straightforward for anyone who has configured an LDAP server).
@chlarsen commented on GitHub (Jul 27, 2016):
This is terrific news. I will dig in as soon as I ever can.
Warm regards from Kenya,
Chris
@jasonmunro commented on GitHub (Aug 2, 2016):
Initial per-user binding support is in. For any LDAP backend defined in the ldap.ini file that has "auth" set to true, but leaves user and pass unset, the user will have an option on the Settings -> Site page to fill out the username and password based on the name from the ini file. The username is automatically formatted (cn=username,<base_dn>), so you only need to enter the cn portion.
@jasonmunro commented on GitHub (Aug 19, 2016):
@chlarsen, hope you are still out there! Happy to help with any issues that come up with this if you are still interested. I'm going to close this issue since the initial work is done. If you run into trouble feel free to open a new one!
@chlarsen commented on GitHub (Aug 20, 2016):
Dear Jason,
I am actually truly out there. Just finished installation of the network
(replacing an old crappy cabled LAN) with a four high-power wireless
access points to cover the entire hospital compound.
And guess what is on my workplan today? Cypht! Finalmente! I had a quick
read through hm3.ini - thanks a lot for the very carefully written
comments; I know different :-).
I will let you know asap, how it goes, will stash it behind Nginx as
reverse proxy. I don't need feeds, so a dedicated memcached is probably
less useful than memcached-enabled PHP session management, right?
More soonest, and I do owe you some photos to start with!
Chris
On 19/08/16 21:11, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 20, 2016):
Dear Jason,
I have been able to install and configure Cypht. Authentication is done
via IMAP (with STARTTLS), as this is probably the easiest thing to do
and feeds on existing openLDAP user and group permissions to the mail
server. I use imapproxyd to avoid repeated log attempts during a
session. Cypht sits behind Nginx as reverse proxy, which does all the
caching and SSL'ing, hence no worries with that in Cypht. User configs
are stored in PostgreSQL.
I have, in parallel set up a test account on Thunderbird just to make
sure I got the credentials right.
What happened is this:
-------------------------------------%<-------------------------------
Aug 20 19:17:02 www_php php-fpm[9992]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 20 19:17:02 www_php php-fpm[9992]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/ [5] => TLS request: 0 [6]
=> Mobile request: 0 [7] => Page ID: home [8] => Redirecting to
/cypht/ [9] => PHP version 5.6.24 [10] => Zend version 2.6.0
[11] => Peak Memory: 3328 [12] => PID: 9992 [13] => Included
files: 53 )
-------------------------------------%<-------------------------------
I thought this may be due to the fact that I have sha256 hashed password
in OpenLDAP (the best there currently is for OpenLDAP!), so I
deactivated the LDAP contact module, just to be safe. Alas, the error
persists.
So, for now, I am only allowed to admire the login screen :-). Am I
missing something?
Thanks a lot for your help!
Chris
@jasonmunro commented on GitHub (Aug 20, 2016):
@chlarsen, Looks like your PHP installation is missing that hash algo. You can see what hashes are registered in PHP with the following command line:
php -r 'print_r(hash_algos());'
My guess is that your OS has some sort of php-hash package that needs to be installed. What OS are you using?
@jasonmunro commented on GitHub (Aug 20, 2016):
a couple other notes:
it's odd that the hash functions are not available - seems that is part of PHP core since 5.1 (it is still possible your OS packages these functions in a different package than PHP core). Also, I agree that IMAP auth is a good approach for your setup. It automatically makes that IMAP server available in your list of E-mail accounts. I would avoid the memcahed sessions since they are a bit volatile (it's easy to get logged out accidentally). Technically, we don't need to set that particular ini value, you could coment out /home/www_php/mmc.lan/cypht/lib/ini_set.php line 40, but we use that hash algo in other places as well, so if sha256 (and sha512) are not in the output of the hash_algos() command, cypht will fail to work properly.
@chlarsen commented on GitHub (Aug 21, 2016):
Dear Jason,
Thanks a lot for coming back to me so quickly. I did check for the
proper installation of php hashes even before writing to you, and yes,
they are there, sha256 included.
I am running FreeBSD 10.3, and the PHP web application server sits in a
jail with Nginx in a different jail serving as reverse proxy.
This is strange, isn't it?
Chris
On 20/08/16 21:10, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 21, 2016):
If sha256 is listed in the hash output, lets just comment out the offending line and see what happens :)
@jasonmunro commented on GitHub (Aug 21, 2016):
Googling the exact error shows other people having this issue. sha256 listed in the hash_algos output, PHP 5.6, and the inability to set the session hash. Unfortunately, I'm not seeing a solution other than don't use this directive or change PHP versions (I also can't repeat the problem on Debian with PHP 5.6)
With all that in mind, I just pushed a work around to the code. If the current version of PHP is 5.6.*, we set this value to 1 which is the equivalent of SHA1. Can you pull the latest code from github and see if it resolves the problem?
Thanks
@chlarsen commented on GitHub (Aug 21, 2016):
Thanks a lot, Jason,
allow me to od this tomorrow, as I have to complete an urgent report
today. Yes, I am using PHP 5.6 - could our friend Suhosin be the
problem? Let me comment out that one, too - BEFORE downloading the
latest code.
More news tom morning (GMT+3).
Much appreciated!
Chris
On 21/08/16 19:21, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 21, 2016):
@chlarsen ,
No worries, let me know whenever works for you :) I think suhosin could be related. I can't get that to install on my debian systems, so I'm going to compile PHP from scratch and include the suhosin patch and extension so I can test it out. Cypht has a focus on security and already does a lot of things suhosin provides, but I wan to make sure they place nice together :)
@jasonmunro commented on GitHub (Aug 21, 2016):
I managed to get the suhosin extension compiled against my Debian PHP 5.6 packages, enabled it, and was able to login to Cypht without any issues, so I don't think it's the source of our problems.
@chlarsen commented on GitHub (Aug 22, 2016):
Dear Jason,
Agreed: Disabling suhosin does not bring any joy, either. Commenting out
line 40 in [full path to cypht]/lib/ini_set.php does not make any
difference, except that the error message about hte hash disappears. I
am still bounced. Let me run a few more checks from my end... Hmmm...
Chris
On 21/08/16 21:22, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
Dear Jason,
Just confirming that I have the test user account working smoothly on
Thunderbird, as local mail within the LAN. (We barely have any internet
here, so this mail system is for in-house, only. Great also for LDAP
password self-service... :-) )
I noted that the Dovecot server throws this whenever I try to log in via
Cypht:
Aug 22 15:15:40 mail dovecot: imap-login: Disconnected (no auth attempts
in 0 secs): user=<>, rip=127.0.1.106, lip=127.0.1.107,
session=<lBezAag6b6F/AAFq>
This looks initially a bit like a firewall issue, but i can telnet into
port 143 from my php jail (127.0.1.106) to my mail jail (127.0.1.107)
without problems. (I have deactivated imapproxy running inside my php
jail for now to make debugging easier...)
The hash error message is still with us:
Aug 22 15:17:52 www_php php-fpm[11722]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 22 15:17:52 www_php php-fpm[11722]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/ [5] => TLS request: 0 [6]
=> Mobile request: 0 [7] => Page ID: home [8] => Redirecting to
/cypht/ [9] => PHP version 5.6.24 [10] => Zend version 2.6.0
[11] => Peak Memory: 3328 [12] => PID: 11722 [13] => Included
files: 53 )
If I DO activate IMAPProxy, I get something I do not get on my main server:
Aug 22 15:24:41 www_php in.imapproxyd[7205]: IMAP_Line_Read(): Protocol
error. Line terminated by LF, not CRLF
We can leave this for later :-).
Any ideas?
Chris
On 21/08/16 21:22, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
Dear Jason,
After more testing, no news from my end - just wanted to make dead sure
that my IMAP server setup is correct. It works flawlessly from within
Thunderbird (with STARTTLS on port 143), plus SMTP with STARTTLS on port
25 all running on the LAN.
Strange...
Chris
@jasonmunro commented on GitHub (Aug 22, 2016):
@chlarsen,
Very strange! Lets add the following debug, attempt to login, then check the logs. It should output the conversation with the IMAP server so we can tell what is going on.
https://gist.github.com/jasonmunro/b3a00e6429102a302dfaab7b0bb02f1b
@chlarsen commented on GitHub (Aug 22, 2016):
Thanks a lot, Jason,
And here is what we get:
Aug 22 17:35:19 www_php php-fpm[15637]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 22 17:35:19 www_php php-fpm[15637]: string: Debug Array ( [0] =>
Connecting to tls://mail.jail.vlan on port 143 [1] => Could not
connect to the IMAP server [2] => fsockopen errors #0. ) Response
Array ( )
Aug 22 17:35:19 www_php php-fpm[15637]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/ [5] => TLS request: 0 [6]
=> Mobile request: 0 [7] => Page ID: home [8] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [9] =>
Redirecting to /cypht/ [10] => PHP version 5.6.24 [11] => Zend
version 2.6.0 [12] => Peak Memory: 3840 [13] => PID: 15637 [14]
=> Included files: 53 )
Aug 22 17:35:19 www_php php-fpm[15637]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 22 17:35:19 www_php php-fpm[15637]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/ [5] => TLS request: 0 [6]
=> Mobile request: 0 [7] => Page ID: home [8] => TRANSLATION NOT
FOUND :MMC Webmail: [9] => TRANSLATION NOT FOUND :You Need to have
Javascript enabled to use MMC Webmail, sorry about that!: [10] =>
PHP version 5.6.24 [11] => Zend version 2.6.0 [12] => Peak Memory:
4096 [13] => PID: 15637 [14] => Included files: 54 )
Could not connect to IMAP server (I have disabled the IMAP proxy still).
Boils down to the hash function, which is really beyond me. Where does
Cypht look for the hash function? Paths are a bit differet in FreeBSD,
as everything extra on top of the standard system in in /usr/local, not
/usr.
Strange - but encouraging!
Chris
On 22/08/16 17:25, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
I think I see the problem! :)
Looks like you have imap_auth_tls set to true in your ini file. This should only be set to true if you are connecting to a tls enabled socket (like on port 993). For STARTTLS, it should be disabled. We connect on a non-tls enabled socket, then negotiate the tls connection using the starttls command.
The hash warning is still a mystery to me, but since the warning is being thrown on line 40, that tells me you don't have the workaround I pushed yesterday. If you update to the latest that warning should go away.
@chlarsen commented on GitHub (Aug 22, 2016):
You are right - I hae to make a note that this is actually imap_auth_ssl
or so :-)
Aug 22 18:06:48 www_php php-fpm[16521]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 22 18:06:48 www_php php-fpm[16521]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Logged in successfully as
molly.simple [LOGIN] => 0.12349700927734 ) Response Array ( [0]
=> Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN ] Dovecot
ready. [1] => A1 OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES
THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY
MOVE SEARCH=FUZZY SPECIAL-USE ] Logged in ) )
Aug 22 18:06:48 www_php php-fpm[16521]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/ [5] => TLS request: 0 [6]
=> Mobile request: 0 [7] => Page ID: home [8] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [9] =>
Missing configuration setting for %s [10] => SQLSTATE[08006] [7]
fe_sendauth: no password supplied [11] => Default SMTP server
added [12] => Redirecting to /cypht/ [13] => PHP version
5.6.24 [14] => Zend version 2.6.0 [15] => Peak Memory: 3584
[16] => PID: 16521 [17] => Included files: 53 )
The above is what we got. It says that I am logged in, but I am still
bounced.
Confusing...
C.
On 22/08/16 17:48, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
Well we are getting closer! I will update the comments in the ini file on the tls option, it is confusing.
There is another error in the output now, specifically a problem connecting to the database. The error is not formatted correctly (it still has the string placeholder %s in it, fixing that now), but it means that one of the required DB configuration settings in the ini file is not setup. To use the db, all of the following settings need to be set:
db_host
db_name
db_user
db_pass
db_driver
After a successful login, we do a HTTP redirect. after that we need to be able to restart the session in PHP which keeps you logged in. This appears to be where we are failing now, which could be related to the session hash warning. The work around I committed yesterday (
github.com/jasonmunro/cypht@406e11a9db) may fix the session issue. If you could make sure you apply that or update to the latest code, we may be in business!@chlarsen commented on GitHub (Aug 22, 2016):
Dear Jason,
Kill me for the typo in the pgsql settings - stupid me. As a
consolation, it only imporved the log, not yet the outcome :-)
Here is what we got:
Aug 22 18:24:09 www_php php-fpm[16950]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 22 18:24:09 www_php php-fpm[16950]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Logged in successfully as
molly.simple [LOGIN] => 0.12035489082336 ) Response Array ( [0]
=> Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN ] Dovecot
ready. [1] => A1 OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES
THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY
MOVE SEARCH=FUZZY SPECIAL-USE ] Logged in ) )
Aug 22 18:24:09 www_php php-fpm[16950]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/ [5] => TLS request: 0 [6]
=> Mobile request: 0 [7] => Page ID: home [8] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [9] =>
Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht [10] =>
Default SMTP server added [11] => Redirecting to /cypht/ [12] =>
PHP version 5.6.24 [13] => Zend version 2.6.0 [14] => Peak Memory:
3584 [15] => PID: 16950 [16] => Included files: 53 )
I am sitting behind an Nginx reverse proxy, which has been doing well
with other PHP applications. Is there anything special we need in terms
of settings? Let me try to log in from within the reverse proxy jail...
Cheers and hugely appreciated!
Chris
On 22/08/16 18:18, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
Darn, I need JS to do so, and do not have any GUI inside the reverse
proxy jail, so this won't work for testing.
C.
On 22/08/16 18:18, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
Sorry this is taking so long to figure out, I appreciate your patience! We need to address this:
Since the problem now appears to be session related, let's eliminate this warning. Just comment out that line of code in lib/ini_set.php and see if it makes a difference. If not, we need to dig deeper into the php configuration for sessions to make sure everything is functional.
@chlarsen commented on GitHub (Aug 22, 2016):
Don't say sorry - I should be sorry to take so much of your time! I
truly appreciate all your efforts!
I have commented out that famous hash line - the error has disappeared,
but I still get bounced.
Aug 22 18:36:15 www_php php-fpm[17384]: string: Debug Array ( [0]
=> Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Logged in successfully as
molly.simple [LOGIN] => 0.12334990501404 ) Response Array ( [0]
=> Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN ] Dovecot
ready. [1] => A1 OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES
THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY
MOVE SEARCH=FUZZY SPECIAL-USE ] Logged in ) )
Aug 22 18:36:15 www_php php-fpm[17384]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/ [5] => TLS request: 0 [6]
=> Mobile request: 0 [7] => Page ID: home [8] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [9] =>
Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht [10] =>
Default SMTP server added [11] => Redirecting to /cypht/ [12] =>
PHP version 5.6.24 [13] => Zend version 2.6.0 [14] => Peak Memory:
3584 [15] => PID: 17384 [16] => Included files: 53 )
:-(
On 22/08/16 18:34, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
Next lets confirm sessions in PHP work. Create a file called test.php with the following code:
Then load it in your browser. Everytime you refresh the page, the counter value should go up. If that works, we know basic PHP sessions work.
@chlarsen commented on GitHub (Aug 22, 2016):
Works like a charm :-)
On 22/08/16 18:43, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
great! Now I need to see the request debug information that is logged after you are bounced. So when you login you get the IMAP debug stuff and the standard debug stuff. That then redirects your browser back to /cypht/ and should log another set of data (without the imap debug stuff since that only happens when you login). There may be a clue in that set (I suspect it will be something like "fingerprint check failed".
@chlarsen commented on GitHub (Aug 22, 2016):
Hmmmm.. now you lost me, because I donot get anything else. I checked
the nginx FastCGI logs, nothing untoward there:
From: 192.168.0.104 | Time: 22/Aug/2016:19:00:47 +0300 | Cache status: -
| Cache control: - | Cache expires: - | Request: POST /cypht/index.php
HTTP/1.0 | Status: 303 | Body sent: 351b | Requested: 738b | Total sent:
687b | Referrer: https://www.mmc.lan/cypht/index.php | User agent:
Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 |
Request time: 1.732ms | Compression: -
From: 192.168.0.104 | Time: 22/Aug/2016:19:00:47 +0300 | Cache status:
HIT | Cache control: - | Cache expires: - | Request: GET
/cypht/index.php HTTP/1.0 | Status: 200 | Body sent: 2194b | Requested:
552b | Total sent: 2324b | Referrer: https://www.mmc.lan/cypht/index.php
| User agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
Firefox/45.0 | Request time: 0.000ms | Compression: -
But I am sure this is not what you need. In the syslog, there isn't
anything else apart from what I already sent you...
Am missing sth, am sure.
C.
On 22/08/16 18:53, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
hmmm...
This is the login POST form. It returns 303 redirect (which it should). The redirect takes you to /cypht/, which is a HTTP GET request as shown in the next log entry. When this request is served, it logs all the debug info you have been sending me.
This request should also log debug info, but it sounds like you are saying it isn't. If not, then nginx is returning the cached version of the login page (it does say Cache status: HIT). That is a problem. Can you disable that caching and see if it changes anything?
@chlarsen commented on GitHub (Aug 22, 2016):
I have disabled proxy caching in the Nginx reverse proxy as well as the
Nginx FastCGI server. Still get this, only:
Aug 22 19:13:28 www_php php-fpm[18190]: string: Debug Array ( [0]
=> Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Logged in successfully as
molly.simple [LOGIN] => 0.1212100982666 ) Response Array ( [0]
=> Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN ] Dovecot
ready. [1] => A1 OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES
THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY
MOVE SEARCH=FUZZY SPECIAL-USE ] Logged in ) )
Aug 22 19:13:28 www_php php-fpm[18190]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/index.php/ [5] => TLS request:
0 [6] => Mobile request: 0 [7] => Page ID: home [8] => ELOG
called in /home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215
[9] => Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht
[10] => Default SMTP server added [11] => Redirecting to
/cypht/index.php [12] => PHP version 5.6.24 [13] => Zend version
2.6.0 [14] => Peak Memory: 3584 [15] => PID: 18190 [16] =>
Included files: 53 )
Aug 22 19:13:28 www_php php-fpm[18563]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => Using sapi: fpm-fcgi [3] => Request type:
HTTP [4] => Request path: /cypht/index.php/ [5] => TLS request:
0 [6] => Mobile request: 0 [7] => Page ID: home [8] =>
TRANSLATION NOT FOUND :MMC Webmail: [9] => TRANSLATION NOT FOUND
:You Need to have Javascript enabled to use MMC Webmail, sorry about
that!: [10] => PHP version 5.6.24 [11] => Zend version 2.6.0
[12] => Peak Memory: 4096 [13] => PID: 18563 [14] => Included
files: 54 )
Chris
On 22/08/16 19:09, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
That output is different (which is good!). It now includes the redirected GET request debug info below:
Unfortunately it does not provide a clue about why you are not staying logged in. Cypht uses cookies to maintain your logged in state, so lets take a look at those. https://gist.github.com/jasonmunro/ed4f8d73431e9ed7bf45b067ac1ccddd will output request cookies to the PHP log. If you could add that, try to login again, and send me the output maybe it will provide a clue.
@chlarsen commented on GitHub (Aug 22, 2016):
Here you go, Jason:
Aug 22 19:45:22 www_php php-fpm[19666]: Array ( [PHPSESSID] =>
53jb6eg3o5r8s8nv5q1p4d6a44 )
Aug 22 19:45:22 www_php php-fpm[19666]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/index.php/ [6] => TLS request: 0 [7] => Mobile
request: 0 [8] => Page ID: home [9] => TRANSLATION NOT FOUND
:MMC Webmail: [10] => TRANSLATION NOT FOUND :You Need to have Javascript
enabled to use MMC Webmail, sorry about that!: [11] => PHP version
5.6.24 [12] => Zend version 2.6.0 [13] => Peak Memory: 4352
[14] => PID: 19666 [15] => Included files: 54 )
Aug 22 19:45:33 www_php php-fpm[19666]: Array ( [PHPSESSID] =>
53jb6eg3o5r8s8nv5q1p4d6a44 )
Aug 22 19:45:33 www_php php-fpm[19666]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Logged in successfully as
molly.simple [LOGIN] => 0.23401093482971 ) Response Array ( [0]
=> Array ( [0] => * OK Waiting for authentication process to
respond.. [1] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN ] Dovecot
ready. [2] => A1 OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES
THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY
MOVE SEARCH=FUZZY SPECIAL-USE ] Logged in ) )
Aug 22 19:45:33 www_php php-fpm[19666]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/index.php/ [6] => TLS request: 0 [7] => Mobile
request: 0 [8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [10] =>
Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht [11] =>
Default SMTP server added [12] => Redirecting to
/cypht/index.php [13] => PHP version 5.6.24 [14] => Zend version
2.6.0 [15] => Peak Memory: 3584 [16] => PID: 19666 [17] =>
Included files: 53 )
Aug 22 19:45:33 www_php php-fpm[19666]: Array ( [PHPSESSID] =>
53jb6eg3o5r8s8nv5q1p4d6a44 )
Aug 22 19:45:33 www_php php-fpm[19666]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/index.php/ [6] => TLS request: 0 [7] => Mobile
request: 0 [8] => Page ID: home [9] => TRANSLATION NOT FOUND
:MMC Webmail: [10] => TRANSLATION NOT FOUND :You Need to have Javascript
enabled to use MMC Webmail, sorry about that!: [11] => PHP version
5.6.24 [12] => Zend version 2.6.0 [13] => Peak Memory: 4096
[14] => PID: 19666 [15] => Included files: 54 )
On 22/08/16 19:40, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
Definitely a problem here. There should be 2 cookies, and they are missing. One is called "CYPHTID" and the other is called hm_id. Neither of them is showing up in the request, so Cypht can't tell you are logged in. Here is another debug to try :) https://gist.github.com/jasonmunro/2cb624a7a2cdff5ba0759884f8defabf This will output the values used to set the hm_id cookie. Maybe it has the wrong domain and thats why it's not showing up. Lets see what it outputs when you try to login. Thanks again for working with me on this! We are getting very close!
@jasonmunro commented on GitHub (Aug 22, 2016):
I suspect it has something to do with either a domain mismatch, or the nginx proxy messing with the cookies
@chlarsen commented on GitHub (Aug 22, 2016):
Does this help?
Aug 22 20:04:30 www_php php-fpm[20475]: Array ( [PHPSESSID] =>
53jb6eg3o5r8s8nv5q1p4d6a44 )
Aug 22 20:04:30 www_php php-fpm[20475]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Logged in successfully as
molly.simple [LOGIN] => 0.11056089401245 ) Response Array ( [0]
=> Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN ] Dovecot
ready. [1] => A1 OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES
THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY
MOVE SEARCH=FUZZY SPECIAL-USE ] Logged in ) )
Aug 22 20:04:30 www_php php-fpm[20475]: string: name: hm_id value:
8iQBYcrVjzlIvuUFewGkquDdksTU8fOK8CW8hBUzbD5yzylmzTvttt/ws1DiP92hlwHpRd3vf3PvgZdvu+WC6FYFG9oX5Y+RKL87MQDbya644blzBfJMVFu+Hzf2N+FY/gutqD9WbaG849ER0bF0CPtrKJuuxgic73HvrMv+UCE=
lifetime: 0 path: /cypht/index.php/ domain: cypht.mmc.lan secure:
html_only: 1
Aug 22 20:04:30 www_php php-fpm[20475]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/index.php/ [6] => TLS request: 0 [7] => Mobile
request: 0 [8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [10] => ELOG
called in /home/www_php/mmc.lan/cypht/lib/framework.php.debug at line 41
[11] => Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht
[12] => Default SMTP server added [13] => Redirecting to
/cypht/index.php [14] => PHP version 5.6.24 [15] => Zend version
2.6.0 [16] => Peak Memory: 3840 [17] => PID: 20475 [18] =>
Included files: 53 )
Aug 22 20:04:30 www_php php-fpm[20475]: Array ( [PHPSESSID] =>
53jb6eg3o5r8s8nv5q1p4d6a44 )
Aug 22 20:04:30 www_php php-fpm[20475]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/index.php/ [6] => TLS request: 0 [7] => Mobile
request: 0 [8] => Page ID: home [9] => TRANSLATION NOT FOUND
:MMC Webmail: [10] => TRANSLATION NOT FOUND :You Need to have Javascript
enabled to use MMC Webmail, sorry about that!: [11] => PHP version
5.6.24 [12] => Zend version 2.6.0 [13] => Peak Memory: 4096
[14] => PID: 20475 [15] => Included files: 54 )
Thanks a million!
On 22/08/16 20:02, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
is cypht.mmc.lan the domain you are using to access Cypht?
@jasonmunro commented on GitHub (Aug 22, 2016):
also this looks like a problem: path: /cypht/index.php/ The path there should just be /cypht/
@chlarsen commented on GitHub (Aug 22, 2016):
the whole thing runs on a local domain, because we do not have internet
access.
the default domain is mmc.lan. the proxy gets a request from a
user-friendly webmail.mmc.lan address, and redirects to www.mmc.lan/cypht.
the nginx fastcgi runs the show on the cypht.mmc.lan vhost - each vhost
has a different name, because each (PHP, PY, RAILS) application runs on
a different port and php-fpm instance for security reasons.
this has worked flawlessly for a decade, but maybe i have bent da rules? :-)
Chris
On 22/08/16 20:06, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
I think It's the path, looks like a bug.
If I go to my test setup with localhost/cypht/index.php, I fail to login exactly like your situation.
If I go to localhost/cypht/ without the index.php bit, it works.
@chlarsen commented on GitHub (Aug 22, 2016):
i think it is the fastcgi stuff that adds index.php be default, isn't it?
On 22/08/16 20:11, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
Lets see if this helps:
github.com/jasonmunro/cypht@5ff0f77dd3This fixes the issue for me and allows me to login with the index.php part of the URL present.
@chlarsen commented on GitHub (Aug 22, 2016):
Not quite yet, but I am not redirect to .../index.php any more:
Aug 22 20:16:59 www_php php-fpm[20962]: Array ( )
Aug 22 20:16:59 www_php php-fpm[20962]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Logged in successfully as
molly.simple [LOGIN] => 0.11910891532898 ) Response Array ( [0]
=> Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS AUTH=PLAIN ] Dovecot
ready. [1] => A1 OK [ CAPABILITY IMAP4rev1 LITERAL+ SASL-IR
LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES
THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE
UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE
QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY
MOVE SEARCH=FUZZY SPECIAL-USE ] Logged in ) )
Aug 22 20:16:59 www_php php-fpm[20962]: string: name: hm_id value:
sJZZ6mgIQCx0fN0ui48yYbZ08SSvcfu4XQ+53XeYSABl27LwWRBNeHc87rwtj2dzF1jiUEEdBdF3PYNjMAJRYOkQHs52wQ9T0654WLRbEnxSMeZ+41PFjdFIrVD76txDthFu/AT11RVIBBoQf1D50s/m3GLTuAS6rpDQnbBiJkk=
lifetime: 0 path: /cypht/ domain: cypht.mmc.lan secure: html_only: 1
Aug 22 20:16:59 www_php php-fpm[20962]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [10] => ELOG
called in /home/www_php/mmc.lan/cypht/lib/framework.php.debug at line 41
[11] => Connecting to dsn: pgsql:host=pgsql.jail.vlan;dbname=cypht
[12] => Default SMTP server added [13] => Redirecting to /cypht/
[14] => PHP version 5.6.24 [15] => Zend version 2.6.0 [16] => Peak
Memory: 3584 [17] => PID: 20962 [18] => Included files: 53 )
Aug 22 20:16:59 www_php php-fpm[20972]: Array ( )
Aug 22 20:16:59 www_php php-fpm[20972]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => TRANSLATION NOT FOUND :MMC Webmail:
[10] => TRANSLATION NOT FOUND :You Need to have Javascript enabled to
use MMC Webmail, sorry about that!: [11] => PHP version 5.6.24
[12] => Zend version 2.6.0 [13] => Peak Memory: 4096 [14] =>
PID: 20972 [15] => Included files: 54 )
On 22/08/16 20:14, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
This could be the source of some of our issues. The above debug still does not show the cookies. I wonder if they are being set with the www.mmc.lan domain and not available to the browser since it's accessing them via the webmail.mmc.lan domain. Lets try another test: Create a test.php file with the following:
On first load in the browser it should output an empty array. After that it should show the 'hm_id' and 'asdf' cookie name and value.
@jasonmunro commented on GitHub (Aug 22, 2016):
now that I look a bit closer, the hm_id cookie is being set with this domain: cypht.mmc.lan, so I think we are onto something here
@chlarsen commented on GitHub (Aug 22, 2016):
First load: nada.
Second load: Array ( [hm_id] => asdf )
On 22/08/16 20:22, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
I see - but do keep in mind that the redirection from webmail.mmclan to
www.mmc.lan/cypht is the first thing the reverse proxy does, long before
cypht kicks in. in fact, the redirecvtion is:
http://webmail.mmc.lan -> https://www.mmc.lan/cypht (all inside the
reverse proxy in a different jail)
from there: to FastCGI in PHP jail, where different PHP-FPM instances
(pools) run as dfferent subdomains: kanban.mmc.lan, limesurvey.mmc.lan,
cypht.mmc.lan, etc.
Chris
On 22/08/16 20:24, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
So just to clarify, users go to the webmail subdomain, then are redirected in their browser to: www.mmc.lan/cypht. I can see that the cookies are not being set with that domain (the code uses the "SERVER_NAME" associated with the request, which in this case is cypht.mmc.lan. After login when the page reloads, it can't find the cookies because of the domain mismatch, and you get logged out.
Let's try to force the domain to be correct and see if that changes anything.
https://gist.github.com/jasonmunro/0ee2c7f1d75571162edbaef2ca75d3e5
https://gist.github.com/jasonmunro/506dd1ab7111a549bdd38b9aa76ff457
That should force the domain used for cookies to www.mmc.lan which will hopefully help!
@jasonmunro commented on GitHub (Aug 22, 2016):
If this works (fingers crossed!) the next step is to configure nginx to rewrite the domain portion of the cookie from cypht.mmc.lan to www.mmc.lan with this directive:
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cookie_domain
@chlarsen commented on GitHub (Aug 22, 2016):
This seems to be a protracted forceps delivery!
Aug 22 20:51:30 www_php php-fpm[4954]: Array ( )
Aug 22 20:51:30 www_php php-fpm[4954]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Log in for molly.simple
FAILED [LOGIN] => 0.11388897895813 ) Response Array ( [0] =>
Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ] Dovecot
ready. [1] => * BAD [ ALERT ] Plaintext authentication not allowed
without SSL/TLS, but your client did it anyway. If anyone was listening,
the password was exposed. [2] => A1 NO [ PRIVACYREQUIRED ]
Plaintext authentication disallowed on non-secure ( SSL/TLS )
connections. ) )
Aug 22 20:51:30 www_php php-fpm[4954]: string: name: hm_msgs value:
WyJFUlJJbnZhbGlkIHVzZXJuYW1lIG9yIHBhc3N3b3JkIl0= lifetime: 0 path:
/cypht/ domain: cypht.mmc.lan secure: html_only: 1
Aug 22 20:51:30 www_php php-fpm[4954]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [10] => ELOG
called in /home/www_php/mmc.lan/cypht/lib/framework.php.debug at line 41
[11] => Redirecting to /cypht/ [12] => PHP version 5.6.24 [13]
=> Zend version 2.6.0 [14] => Peak Memory: 3328 [15] => PID:
4954 [16] => Included files: 53 )
Aug 22 20:51:30 www_php php-fpm[4954]: Array ( [hm_msgs] =>
WyJFUlJJbnZhbGlkIHVzZXJuYW1lIG9yIHBhc3N3b3JkIl0= )
Aug 22 20:51:30 www_php php-fpm[4954]: string: name: hm_msgs value:
lifetime: 0 path: /cypht/ domain: cypht.mmc.lan secure: html_only: 1
Aug 22 20:51:30 www_php php-fpm[4954]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/framework.php.debug at line 41 [10] =>
TRANSLATION NOT FOUND :MMC Webmail: [11] => TRANSLATION NOT FOUND
:You Need to have Javascript enabled to use MMC Webmail, sorry about
that!: [12] => PHP version 5.6.24 [13] => Zend version 2.6.0
[14] => Peak Memory: 4096 [15] => PID: 4954 [16] => Included
files: 54 )
No joy yet...
On 22/08/16 20:34, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
Well this is weird:
Looks like we did not STARTTLS there all of a sudden! We won't know if the cookie changes work if we are not authenticating to the IMAP server. I'm at a loss as to how that happened or what changed to make it happen.
@chlarsen commented on GitHub (Aug 22, 2016):
I have added the proxy_cookie_domain to the reverse proxy (only there,
because the FastCGI does not have any proxy module activated), and I get
this, just for fun:
Aug 22 21:01:22 www_php php-fpm[5761]: Array ( )
Aug 22 21:01:22 www_php php-fpm[5761]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Log in for molly.simple
FAILED [LOGIN] => 0.11048316955566 ) Response Array ( [0] =>
Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ] Dovecot
ready. [1] => * BAD [ ALERT ] Plaintext authentication not
allowed without SSL/TLS, but your client did it anyway. If anyone was
listening, the password was exposed. [2] => A1 NO [
PRIVACYREQUIRED ] Plaintext authentication disallowed on non-secure (
SSL/TLS ) connections. ) )
Aug 22 21:01:22 www_php php-fpm[5761]: string: name: hm_msgs value:
WyJFUlJJbnZhbGlkIHVzZXJuYW1lIG9yIHBhc3N3b3JkIl0= lifetime: 0 path:
/cypht/ domain: cypht.mmc.lan secure: html_only: 1
Aug 22 21:01:22 www_php php-fpm[5761]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [10] =>
ELOG called in /home/www_php/mmc.lan/cypht/lib/framework.php.debug at
line 41 [11] => Redirecting to /cypht/ [12] => PHP version
5.6.24 [13] => Zend version 2.6.0 [14] => Peak Memory: 3840
[15] => PID: 5761 [16] => Included files: 53 )
Aug 22 21:01:22 www_php php-fpm[5761]: Array ( [hm_msgs] =>
WyJFUlJJbnZhbGlkIHVzZXJuYW1lIG9yIHBhc3N3b3JkIl0= )
Aug 22 21:01:22 www_php php-fpm[5761]: string: name: hm_msgs value:
lifetime: 0 path: /cypht/ domain: cypht.mmc.lan secure: html_only: 1
Aug 22 21:01:22 www_php php-fpm[5761]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/framework.php.debug at line 41 [10]
=> TRANSLATION NOT FOUND :MMC Webmail: [11] => TRANSLATION NOT FOUND
:You Need to have Javascript enabled to use MMC Webmail, sorry about
that!: [12] => PHP version 5.6.24 [13] => Zend version 2.6.0
[14] => Peak Memory: 4096 [15] => PID: 5761 [16] => Included
files: 54 )
Let me reverse those hardcoded domains...
On 22/08/16 20:57, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
Same plaintext message...
Aug 22 21:02:57 www_php php-fpm[5795]: Array ( )
Aug 22 21:02:57 www_php php-fpm[5795]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Log in for molly.simple
FAILED [LOGIN] => 0.11704897880554 ) Response Array ( [0] =>
Array ( [0] => * OK Waiting for authentication
process to respond.. [1] => * OK [ CAPABILITY IMAP4rev1
LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ]
Dovecot ready. [2] => * BAD [ ALERT ] Plaintext
authentication not allowed without SSL/TLS, but your client did it
anyway. If anyone was listening, the password was exposed.
[3] => A1 NO [ PRIVACYREQUIRED ] Plaintext authentication disallowed on
non-secure ( SSL/TLS ) connections. ) )
Aug 22 21:02:57 www_php php-fpm[5795]: string: name: hm_msgs value:
WyJFUlJJbnZhbGlkIHVzZXJuYW1lIG9yIHBhc3N3b3JkIl0= lifetime: 0 path:
/cypht/ domain: cypht.mmc.lan secure: html_only: 1
Aug 22 21:02:57 www_php php-fpm[5795]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [10] => ELOG
called in /home/www_php/mmc.lan/cypht/lib/framework.php.debug at line 41
[11] => Redirecting to /cypht/ [12] => PHP version 5.6.24 [13]
=> Zend version 2.6.0 [14] => Peak Memory: 3840 [15] => PID:
5795 [16] => Included files: 53 )
Aug 22 21:02:57 www_php php-fpm[5823]: Array ( )
Aug 22 21:02:57 www_php php-fpm[5823]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => TRANSLATION NOT FOUND :MMC Webmail:
[10] => TRANSLATION NOT FOUND :You Need to have Javascript enabled to
use MMC Webmail, sorry about that!: [11] => PHP version 5.6.24
[12] => Zend version 2.6.0 [13] => Peak Memory: 4096 [14] =>
PID: 5823 [15] => Included files: 54 )
On 22/08/16 20:57, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
I see that you disabled plaintext login while we have been doing this, and for some reason Cypht is not doing the starttls command. I'm staring right at the code and can't explain it.
@chlarsen commented on GitHub (Aug 22, 2016):
i have reversed our cookie monster changes, yet we are strill in
plaintext... huh?
Aug 22 21:08:52 www_php php-fpm[6478]: Array ( )
Aug 22 21:08:52 www_php php-fpm[6478]: string: Debug Array ( [0] =>
Connecting to tcp://mail.jail.vlan on port 143 [1] => Successfully
opened port to the IMAP server [2] => Log in for molly.simple
FAILED [LOGIN] => 0.11887001991272 ) Response Array ( [0] =>
Array ( [0] => * OK [ CAPABILITY IMAP4rev1 LITERAL+
SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED ] Dovecot
ready. [1] => * BAD [ ALERT ] Plaintext authentication not allowed
without SSL/TLS, but your client did it anyway. If anyone was listening,
the password was exposed. [2] => A1 NO [ PRIVACYREQUIRED ]
Plaintext authentication disallowed on non-secure ( SSL/TLS )
connections. ) )
Aug 22 21:08:52 www_php php-fpm[6478]: string: name: hm_msgs value:
WyJFUlJJbnZhbGlkIHVzZXJuYW1lIG9yIHBhc3N3b3JkIl0= lifetime: 0 path:
/cypht/ domain: cypht.mmc.lan secure: html_only: 1
Aug 22 21:08:52 www_php php-fpm[6478]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/auth.php.debug at line 215 [10] => ELOG
called in /home/www_php/mmc.lan/cypht/lib/framework.php.debug at line 41
[11] => Redirecting to /cypht/ [12] => PHP version 5.6.24 [13]
=> Zend version 2.6.0 [14] => Peak Memory: 3840 [15] => PID:
6478 [16] => Included files: 53 )
Aug 22 21:08:52 www_php php-fpm[6478]: Array ( )
Aug 22 21:08:52 www_php php-fpm[6478]: Array ( [0] => Using
Hm_PHP_Session with Hm_Auth_IMAP [1] => Using DB user
configuration [2] => ELOG called in
/home/www_php/mmc.lan/cypht/lib/request.php.debug at line 73 [3] =>
Using sapi: fpm-fcgi [4] => Request type: HTTP [5] => Request
path: /cypht/ [6] => TLS request: 0 [7] => Mobile request: 0
[8] => Page ID: home [9] => TRANSLATION NOT FOUND :MMC Webmail:
[10] => TRANSLATION NOT FOUND :You Need to have Javascript enabled to
use MMC Webmail, sorry about that!: [11] => PHP version 5.6.24
[12] => Zend version 2.6.0 [13] => Peak Memory: 4096 [14] =>
PID: 6478 [15] => Included files: 54 )
I have cleared Nginx caches, restarted PHP-FPM, even restarted my
memcached jail for PHP sessions...
C.
On 22/08/16 21:05, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
Give it a break, Jason - sometimes it is the only way to see some minor
error that keeps messing us around.
:-)
On 22/08/16 21:05, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
We will get there - I am extremely grateful for your time, assistance
and kindness!
C.
On 22/08/16 21:05, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
Happy to help! Found the problem with STARTTLS, it's a single line fix. For some reason I had IMAP capability parsing disabled during IMAP authentication. We need that to determine if the server supports STARTTLS. Fix is here:
github.com/jasonmunro/cypht@d114ba8c97So I don't think we tried both the cookie fix and a successful authentication. Let me know when you can give it a try and lets hope it gets us over the goal line! :)
@chlarsen commented on GitHub (Aug 22, 2016):
Yahooooooooooo (no - wrong, it's copyrighted :-) - That's why we use
Cypht!). It worked.
I hardcoded the domain in sessions_php.php and framework.php and fixes
the STARTTLS capability parsing.
No, the hardcoded domain should go into Nginx's settings...
C.
On 22/08/16 21:24, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
SWEET!
Yep, we need to remove the hard coded domains :) The nginx config changes should have the same effect. My postmortem:
I really appreciate you sticking it out during all this! Adding some more debugging by default for what we learned here will definitely help the next person, and we fixed 2 bugs in the process :)
@jasonmunro commented on GitHub (Aug 22, 2016):
https://github.com/jasonmunro/cypht/issues/110
@chlarsen commented on GitHub (Aug 22, 2016):
Dear Jason,
Thank YOU for this! I had to rish off to see a couple of patients,
sorry. As for the cookie path, let me see, whether I can move away from
hardcoding to Nginx's magic.
Don't forget that we also fixed the index.php path itself, not only the
cookie (in request.php).
C.
On 22/08/16 21:39, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
Tested without hard-coding and set proxy_cookie domain "cypht.mmc.lan
www.mmc.lan;", trying both the FastCGI PHP jail as well as the reverse
proxy, but no fun.
Time to get some sleep for now, but we are getting there... from
hardcoding to smart coding :-)
Big thanks again, Chris
On 22/08/16 21:43, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Aug 22, 2016):
Dear Jason,
More food for thought: SMTP with StartTLS on port 25 won't work (tested
with hardcoded domains):
@4000000057bb5de11413176c tcpserver: status: 1/100
@4000000057bb5de114147ecc tcpserver: pid 9514 from 127.0.1.106
@4000000057bb5de114154dd4 tcpserver: ok 9514 mmc.lan:127.0.1.107:25
:127.0.1.106::32868
@4000000057bb5de114342074 qmail-smtpd 9514: connection from 127.0.1.106
(unknown) to mmc.lan
@4000000057bb5de11434245c qmail-smtpd 9514: enabled options: max msg
size: 20480000 starttls relayclient smtp-auth-tls-required
@4000000057bb5de11434f364 qmail-smtpd 9514: unrecognized command:
@4000000057bb5de1143558f4 qmail-smtpd 9514: unrecognized command:
@4000000057bb5de1143558f4 qmail-smtpd 9514: unrecognized command:
@4000000057bb5de114355cdc qmail-smtpd 9514: unrecognized command:
@4000000057bb5de11436f704 qmail-smtpd 9514: read error or connection closed
@4000000057bb5de11438d394 tcpserver: end 9514 status 256
@4000000057bb5de11438d77c tcpserver: status: 0/100
Greetings from Qmail-LDAP above. This stuff works from Thunderbird, etc.
Some food for thought for later... Good night from here!
Chris
On 22/08/16 21:43, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 22, 2016):
@chlarsen, since this thread is getting a bit long (and OT), I created a new issue for digging into SMTP STARTTLS problems:
https://github.com/jasonmunro/cypht/issues/111
@chlarsen commented on GitHub (Aug 23, 2016):
Thanks a lot, Jason.
I fixed, in the meantime, the Nginx domain in the PHP FastCGI side from
cypht.mmc.lan to www.mmc.lan. Alas, this does not seem to make any
difference. I will pull a fresh install later today to include the
current state of fixes,
More then, stay well,
Chris
On 22/08/16 23:46, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 24, 2016):
@chlarsen I just added a new config option to the ini file that lets you set the cookie domain to use. This will override the default behavior if present, and might be useful for your setup!
Hope you are doing well
@chlarsen commented on GitHub (Aug 24, 2016):
Dear Jason,
Thanks a lot, indeed. I am sorry for my silence, have not yet made it to
install the updated version, but will do so tomorrow, if at all possible!
All the best from Mwea -
Chris
On 24/08/16 20:26, Jason Munro wrote:
@jasonmunro commented on GitHub (Aug 24, 2016):
No rush! I'm not going anywhere ;)
@chlarsen commented on GitHub (Aug 26, 2016):
Dear Jason,
Just managed to clear out the installation, but kept the amended
(debugged) config file. Now iI get:
Aug 26 20:34:53 www_php php-fpm[3812]: [NOTICE] configuration file
/usr/local/etc/php-fpm.conf test is successful
Aug 26 20:34:53 www_php php-fpm[3814]: [NOTICE] fpm is running, pid
3814Aug 26 20:34:53 www_php php-fpm[3812]: [NOTICE] configuration file
/usr/local/etc/php-fpm.conf test is successful
Aug 26 20:34:53 www_php php-fpm[3814]: [NOTICE] fpm is running, pid 3814
Aug 26 20:34:53 www_php php-fpm[3814]: [NOTICE] ready to handle connections
Aug 26 20:34:58 www_php php-fpm[3815]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 26 20:34:58 www_php php-fpm[3815]: PHP Warning: Invalid argument
supplied for foreach() in
/home/www_php/mmc.lan/cypht/lib/modules_exec.php on line 245
Aug 26 20:35:02 www_php php-fpm[3815]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 26 20:35:02 www_php php-fpm[3815]: PHP Warning: Invalid argument
supplied for foreach() in
/home/www_php/mmc.lan/cypht/lib/modules_exec.php on line 245
Aug 26 20:34:53 www_php php-fpm[3814]: [NOTICE] ready to handle connections
Aug 26 20:34:58 www_php php-fpm[3815]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 26 20:34:58 www_php php-fpm[3815]: PHP Warning: Invalid argument
supplied for foreach() in
/home/www_php/mmc.lan/cypht/lib/modules_exec.php on line 245
Aug 26 20:35:02 www_php php-fpm[3815]: PHP Warning: ini_set():
session.configuration 'session.hash_function' must be existing hash
function. sha256 does not exist. in
/home/www_php/mmc.lan/cypht/lib/ini_set.php on line 40
Aug 26 20:35:02 www_php php-fpm[3815]: PHP Warning: Invalid argument
supplied for foreach() in
/home/www_php/mmc.lan/cypht/lib/modules_exec.php on line 245
The hash is still with us. I have corrected the Nginx domain name from
my end in order to avoid cookie probs. (I did not see any updated
hm3.ini file in my pull from GitHub - have i missed anything?)
Have a great day, and good night from here! Thanks a lot!
Chris
On 24/08/16 21:16, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Aug 26, 2016):
The hm3.ini file is not in git, only the hm3.sample.ini file (that way updates don't overwrite your local settings). The cookie name change option is in there, but sounds like you don't need that anymore anyway :)
You need to be using the latest code for the hash fix. I can tell you are not because your error is coming from line 40 of the ini_set.php file. That used to be where the error occurred, but I changed that file and line 40 is doing a conditional check on the PHP version now:
https://github.com/jasonmunro/cypht/blob/master/lib/ini_set.php#L40
So, for some reason your copy of Cypht (or of the lib/ini_set.php file) is not up to date.
Hope that helps!
@chlarsen commented on GitHub (Sep 2, 2016):
Dear Jason,
I have finally - found an hour to re-install everything. Everything
worked flawlessly - makes me wonder! This time, it is sitting straight
on the server in Kenya, so it is real implementation time!
I ad to remove the TLS settings of the IMAP as well as the SMTP server -
maybe you want to add a similar remark to the SMTL TLS settings as you
did with the IMAP setting? Or rename TLS to SSL?
Just for clarification - both my SMTP (Qmail-LDAP) as well as my IMAP
(Dovecot) server do STARTTLS - does the web client honour these
settings, even if I do not explicitly activate TLS on the web client AND
run things on absolutely ordinary ports (24 and 143, respectively?).
I have ImapProxy running, too, on the PHP jail, and am impressed by the
speed, intelligent design and smooth workflows (especially compared to
the clunky competition).
I hugely appreciate your terrific work and have not forgotten those
visual feedbacks form here :-)!
As one thing leads to the next - how difficult would it be to convert
the Gmail address facility to a generic CardDAV (and with the calendar,
possibly CalDAV) version? With LDAP and DAV, we woluc have covered all
corporate and private needs, from mobile devices to stationary systems.
Just a thought, and yes, I feel bad about asking...
But this stuff is just great!
Thanks again, more feedback soonest! Have a lovely weekend!
Chris
On 26/08/16 20:54, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Sep 2, 2016):
Hello!
So glad to hear things are working! I will update the SMTP section to match the IMAP section with regards to STARTTLS vs TLS.
Cypht will always use STARTTLS when it is available on a connection and we did not connect to a TLS enabled port to begin with. No explicit configuration is required since we examine the available capabilities of the server and always issue STARTTLS when present.
As for cardDav, I need to do more research to understand the impact, but since adding LDAP support we now have a much more modular contacts system which will make it a lot easier to add additional sources. I will look into it (and calDav)!
@chlarsen commented on GitHub (Sep 2, 2016):
Terrific, Jason, and thanks a million for all your help.
I will keep you posted!
It's late here, so good night from this part of the world -
Chris
On 02/09/16 22:15, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Sep 3, 2016):
One small issue, Jason, sorry::
I have set up Cypht according to my needs and till now actually not yet
spent much time on the LDAP addressbook. However, when I tackled this
today, I noted that, well, nothing happens. I have created the following
ldap.ini:
---------------------------------------------%<---------------------------------------
; Constants used for LDAP communication
;
; SECURITY ALERT ! MAKE SURE THAT THIS FILE IS NOT ACCESSIBLE BY THE
BROWSER !
; Create one section for each LDAP backend you want to support. The
section name
; will be used in the UI for the name of this addressbook
[Personal]
;[Corporate]
; LDAP Server hostname or IP address
;server="localhost"
server="ldap.jail.vlan"
; Flag to enable or disable TLS connections
;enable_tls=true
enable_tls=
; Port to connect to
port="389"
; Base DN
;base_dn="dc=example,dc=com"
base_dn="ou=People,o=[organisation]"
; Search filter
;search_term="objectclass=inetOrgPerson"
search_term="objectclass=inetOrgPerson"
; Flag to enable user binding. Anonymous binding is used when set to false
;auth=false
auth=true
; Global username and password to bind with if auth is set to true. If left
; blank, users will have a setting on the Settings -> Site page for this
; connection to enter their own
;user=""
user="cn=LDAPReader,ou=Roles,o=[organisation]"
;pass=""
pass="[LDAPREADER password]"
; Object classes for the addressbook entries
objectclass[]="top"
objectclass[]="person"
objectclass[]="organizationalperson"
objectclass[]="inetorgperson"
; Flag to allow editing of the addressbook contents
;read_write=true
read_write=false
---------------------------------------------%<---------------------------------------
I assume that there should be something coming up the the log of the
ldap jail, but nothing happens. If I use ldapsearch manually, things
work alright.
And, yes, I have activated the LDAP address module as follows:
---------------------------------------------%<---------------------------------------
; Core
; ----
; Handles page layout, login/logout, and the default settings pages.
This set
; is required.
modules[]=core
; Contacts
; -------
; Contact support. This module requires that at least one "backend" contacts
; module be enabled (ldap_contacts, gmail_contacts, or local_contacts). You
; can enable all the backends you want to support.
modules[]=contacts
; Local contact support. Simple, locally stored contacts backend
;modules[]=local_contacts
; LDAP contact support. Use an LDAP server to store contacts. The ldap.ini
; file must be configured for your setup
;modules[]=ldap_contacts
modules[]=ldap_contacts
---------------------------------------------%<---------------------------------------
I am sure I am missing sth completely stupid.
Another question: Would it make sense to refresh the display of the
e-mail box (commonly the INBOX) as mails come in, like in an auto-refresh?
Thank you so much for your help and ideas!
Have a great weekend,
Chris
On 02/09/16 22:15, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@chlarsen commented on GitHub (Sep 3, 2016):
Dear Jason,
One more observation:
I have configure OpenLDAP in such a way that I log in with the uid, not
the LDAP mail field, because I am forced to use LDAP also to log in
system users (where e-mails are not permitted as usernames).
The login mechanism for Cyoht is IMAP.
So, if I log into Cypht as user "christoph.larsen" (using the first part
of my e-mail address), and if I fire off a mail to mysqlf, yes, it gets
there.
However, if I want to reply to my own test mail, the sender is not
"christoph.larsen@synalinq.com", but only "christoph.larsen". Unless I
manually correct this, the next mail gets stuck.
Is there anything I should change in my mail settings (Dovecot, I
presume, not Qmail), or would it be smarter to tell Cypht to provide the
whole sernder's address?
Thanks a lot for your advice,
Chris
On 03/09/16 14:47, Christoph H. Larsen wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Sep 3, 2016):
Chris,
Check out the profiles module set. It puts a "profiles" link in the Settings section of the folder list. From here you can set the "reply to" E-mail address. I think this will resolve this issue. We may need to build something to automatically fix this for users, but lets see if this resolves the issue first :)
Thanks for the feedback!
@chlarsen commented on GitHub (Sep 4, 2016):
Dear Jason,
I have modified the profile and added a reply-to address.
This is what it shows afterwards on a mail sent to myself:
Date Sun, 04 Sep 2016 09:13:28 +0300
From christoph.larsen
To christoph.larsen@mmc.lan
Tags Seen
If I respond to my own mail, I get:
To: [empty]
Re: test
Message body:
On Sun, 04 Sep 2016 09:13:28 +0300, somebody said
As you can see, the sender's identity has fallen off the plate.
Any thoughts? Big thanks!!!
Chris
@jasonmunro commented on GitHub (Sep 6, 2016):
@chlarsen Weird. I would have thought adding the reply to address would fix this. Can you do me a favor to help me troubleshoot the issue? Send a message to yourself, view it in Cypht, then click on the "all headers" link below the headers, then paste that in here? thanks!
@chlarsen commented on GitHub (Sep 7, 2016):
Dear Jason,
Sorry it took so long - I was completely swamped.
The reason, I think, is that the login name is actually a
Posix-compliant username (as in givenname.surname) instead of the usual
givenname.surname@my.domain.io. To set the uid in OpenLDAP this way (via
dovecot) is required, because those uids are also used for real logins
into the hospital management workstations.
I usually work with virtual users, only, where I do, of course use the
name and domain combo. I did configure Dovecot to understand this well,
and both Qmail-LDAP and dovecot seem t be content. But not Cypht.
Here are the headers:
Test to Self
Date Wed, 07 Sep 2016 15:28:50 +0000
From christoph.larsen
To christoph.larsen@mmc.lan
Tags Seen
Return-Path <christoph.larsen>
Delivered-To christoph.larsen@mmc.lan
Received from unknown (HELO www_php.jail.vlan)
(christoph.larsen@[127.0.1.106])(envelope-sender <christoph.larsen>)by
mmc.lan (qmail-ldap-1.03) with AES128-SHA encrypted SMTPfor
christoph.larsen@mmc.lan; 7 Sep 2016 18:28:50 +0300
MIME-Version 1.0
Reply-To christoph.larsen
Message-Id c3db35e71485fb65204b826fbddf6a72@www_php.jail.vlan
Content-Type text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding quoted-printable
If I click reply, I got those empty user symptom that I have sent you
earlier.
Post-debugging comment: After I fixed my Nginx settings, I had no more
issues with the cookies, and did not have to set cookie_domain, either.
Thanks for pointing this out!
Any ideas? Thanks a lot!
Chris
On 06/09/16 19:11, Jason Munro wrote:
Dr Christoph H. Larsen
synaLinQ
296/33 Lương Định Của, Ngọc Hội 2, Vĩnh Ngọc
Nha Trang, Khánh Hòa, Việt Nam
Mobile: +84-98-9607357 (Vietnam)
+254-776-588224, +254-701-279511 (Kenya)
+256-778-121305 (Uganda)
+49-176-96456254 (Germany)
Fax: +49-231-292734790
E-mail: christoph.larsen@synalinq.com
Skype: christoph.larsen
@jasonmunro commented on GitHub (Sep 7, 2016):
Thanks for the update. Glad to hear the cookie_domain is fixed!
I see multiple issues in the headers (fields that should contain an address but don't). It also looks like you don't have the reply-to set in your profile (?). Remember, if you make any changes in Cypht you MUST explicitly save them before logging out or they will not be there when you login. I know this is a pain, but it's an important part of the security (and privacy) design.
My plan here is to update profiles to include an address field will we use to populate the From: field which should resolve this. We could also create an ini setting with a domain to append to usernames automatically. So for example, if all your users login with "firstname.lastname", you could define a domain to be automatically appended to the username for the users E-mail address.
I will let you know when I have something to test!
@jasonmunro commented on GitHub (Sep 7, 2016):
@chlarsen part 1 of a fix is in the code. There is now a "default_email_domain" setting in the ini file that will be automatically appended to your outbound E-mail addresses if they are not valid addresses already. If you set this to "mmc.lan" I think this issue will go away. I have not added the address field to the profiles yet (which would override this default if desired) but I'm working on that next.
@jasonmunro commented on GitHub (Sep 7, 2016):
part 2 is now committed as well. Let me know how it goes for you!
@jasonmunro commented on GitHub (Sep 20, 2016):
@chlarsen,
This thread is getting WAY to long :) I'm closing it since the OP task is done. Please feel free to open another issue for anything related to this, or anything else you run into!
Thanks