ID: 33500
Updated by: [email protected]
Reported By: ed2019 at columbia dot edu
Status: Bogus
Bug Type: IMAP related
Operating System: ALL
PHP Version: 5.2.0
Assigned To: pajoye
New Comment:
There is no bug regarding this problem in php, like it or not.
It could be a feature request but I do not see either how to you can
force c-client to use a given authentication method. I suppose you know
right?
now, about your proposal:
1) why don't you try?
2) and 3) are the same and I don't see how it could be possible. No
other clients using c-client allow that either
Previous Comments:
------------------------------------------------------------------------
[2009-04-27 16:09:36] ed2019 at columbia dot edu
Hi again-
In response to the reference to Joe's comment on the red hat bug
list about how the c-client code stops retrying, my response is - so
what? Many other applications built on top of c-client manage to
authenticate via IMAP / PLAIN to these same servers. The key is that
c-client already includes a mechanism for connecting to a server with
multiple advertised methods - you can give it an argument and tell it
which one to use.
There are at least three ways to "fix" this bug:
1) Convince Mark Crispin (c-client's author) to modify c-client so that
it tries all the advertised authentication methods. I.e. proclaim that
it's not a PHP bug, that instead the library should be changed to work
with imap_open's flaws.
2) Add an argument/flag/option to imap_open so that the programmer can
specify the authentication method to try. I.e. Give the PHP developer
access to more of the working functionality of the underlying library.
3) Modify PHP's imap_open() so that it will try multiple authentication
methods.
I understand that deciding that #1 is the "right answer" carries
with it the additional benefit that no one needs to admit that this is a
PHP bug. However, it's a bit ridiculous considering all of the other
applications which depend on c-client and can handle authenticating to
these servers. Please review like-minded comments from at least 5 other
persons on this bug.
I whole-heartedly encourage the maintainer to re-designate this as
a real bug.
------------------------------------------------------------------------
[2009-04-27 15:54:06] ed2019 at columbia dot edu
Hi-
I was the original submitter of this bug four years ago, but I
felt I should write to clear up a little confusion which has popped up
from pajoye at php.net .
Mark Crispin's c-client (which is the library underlying PHP's
IMAP stuff) can authenticate to IMAP servers using various methods,
including but not limited to PLAIN and GSSAPI. You can specify when
calling the c-client library which authentication method to use. When
you're going to authenticate with kerberos/GSSAPI, you would provide a
certain set of client credentials. When you want to authenticate with
PLAIN, you provide a different set of credentials (namely, username and
password).
The problem with PHP's imap_open() is that it does not allow you
to specify which of these authentication methods to use, nor does it
guess correctly from the credentials you provide it. The setup, as I
encountered it, is/was:
1) Your code wants to authenticate to an IMAP server with a username &
password. These credentials are appropriate for PLAIN authentication.
2) You call imap_open() and pass it the username & password.
3) imap_open() (through c-client) contacts the server attempts to
authenticate via GSSAPI, which fails. imap_open() then gives up.
So, the bug in this case is that imap_open needs an argument of
some sort which tells it NOT to try using GSSAPI, and instead to try
using PLAIN authentication. Perhaps something like [authmethod ={PLAIN
|| GSSAPI || ...}] , which would then be passed through to the c-client
implementation.
Make no mistake about it, there is no way around this bug with
PHP's broken imap_open(). If you have an imap server which advertises
both authentication methods, there is no way to authenticate to that
server with the PLAIN method - even though the server is configured
correctly, and the underlying c-client IMAP library supports it.
imap_open() is not tickling the c-client library correctly to get the
proper result.
------------------------------------------------------------------------
[2009-04-27 15:17:18] [email protected]
Bug or feature in c-client. As Joe already explained in the RH bug
report, the first thing auth_gssapi_client does is to disable any
retry:
auth_gss.c:98 (2007e)
*trial = 65535; /* never retry */
Please get an explanation in the UW mailing list but there is nothing
PHP can do about that.
------------------------------------------------------------------------
[2009-04-27 15:03:49] [email protected]
The authentication method is compiled in cclient. Are you sure your
cclient package supports kerberos or GSS?
For windows, I'm verifying that it works with 5.3.0 (we use the latest
c-client for 5.3+).
------------------------------------------------------------------------
[2009-04-27 14:37:16] mathieu at koumbit dot org
Same bug, on version 5.2.0 (Debian/stable), when trying to connect to
Exchange.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/33500
--
Edit this bug report at http://bugs.php.net/?id=33500&edit=1
