PHP Errors

Issue #87 resolved

Former user created an issue 2013-04-29

Not sure if this is really affecting the operation of piler, but I thought I would bring it up since my apache error log is filling up with these errors:

PHP Warning: Division by zero in /var/www/piler../controller/health/worker.php on line 87, referer: http://piler../index.php?route=health/health PHP Warning: Division by zero in /var/www/piler../controller/health/worker.php on line 88, referer: http://piler../index.php?route=health/health PHP Warning: Division by zero in /var/www/piler../controller/health/worker.php on line 89, referer: http://piler../index.php?route=health/health PHP Warning: Division by zero in /var/www/piler../controller/health/worker.php on line 102, referer: http://piler../index.php?route=health/health

Everything else seems to be working fine, so far.

Comments (28)

Janos SUTO repo owner
which version do you use?
- 2013-04-30T07:33:55+00:00
Steve Miller
Currently running 0.1.23, however I believe the error I was receiving was due to not having any emails archived at that time.

Now that I am running the right way, I am now actually noticing an issue with the ENABLE_LDAP_IMPORT_FEATURE - when it is set to 1, I receive php errors like this:

PHP Notice: Undefined offset: 3 in /var/www/piler../controller/health/worker.php on line 58, referer: http://piler../index.php?route=health/health PHP Notice: Undefined offset: 2 in /var/www/piler../controller/health/worker.php on line 58, referer: http://piler../index.php?route=health/health PHP Notice: Undefined offset: 1 in /var/www/piler../controller/health/worker.php on line 58, referer: http://piler../index.php?route=health/health PHP Notice: Undefined offset: 1 in /var/www/piler../controller/health/worker.php on line 59, referer: http://piler../index.php?route=health/health

I am set up for LDAP auth from Active Directory, and I import users using ldap_sync.php on a daily basis, right before the cron job for the daily report fires. Authentication works fine, however I cannot login as Master Admin, even though I had used the admin@local account to set that role for the AD user I wish to use as Admin.
- 2013-04-30T13:26:07+00:00
Janos SUTO repo owner
In the meantime I added some failsafes to prevent division by zero. I'll commit them sonn.

The ENABLE_LDAP_IMPORT_FEATURE is a somewhat obsoleted feature by the 0.1.23 release. Nowadays I prefer to keep the accounts in AD (and not sync them) and let the gui authenticate against the AD, and only admin accounts can be in the local database.

Nevertheless you can snyc the accounts, and in this case you should redirect the lda_sync.php output to /var/piler/stat/adsync.stat. This is the file the health worker tries to parse. Please check whether this file exists.

Please show me your config-site.php (just hide any passwords) to fix the admin login issue. You may send it to my address (see piler -V) if you prefer.
- 2013-04-30T13:54:51+00:00
Janos SUTO repo owner
Regarding the ENABLE_LDAP_IMPORT_FEATURE warning messages. I've just realized that its result is not even displayed on the health page, so I've removed it the now unnecessary code block from controller/health/worker.php.
- 2013-04-30T13:58:23+00:00
Steve Miller
Sent config, thank you. I'm glad I am able to help clean up some code with you on the LDAP import. I checked to see if the adsync.stat file existed, and it did not. I touched the file as the piler user on my system, however subsequent runs of ldap_sync.php is directing the output to the command line and not echoing to adsync.stat.

EDIT: Disregard the comment about not echoing to adsync.stat, I forgot to add in >> /var/piler/stat/adsync.stat to the command.
- 2013-04-30T14:23:56+00:00
Janos SUTO repo owner
Hmm, your config looks fine. Do you notice anything in the php error log while failing to login as admin@local user? Did you change its default password?

Btw. I'd like you to try the gui from the latest master branch (perhaps on a different virtual host). We managed to make it work together with IE8 (and perhaps with IE7 too, but this is not confirmed yet).
- 2013-04-30T14:36:23+00:00
Steve Miller
There are no errors when logging in as an LDAP authenticated user, so long as ENABLE_LDAP_AUTH is set to 1. When logged in as such users, searching for emails that have been archived works great. I have changed the default password for admin@local, but I need to set ENABLE_LDAP_AUTH to 0 in order to use that account.

I will see if I can get the gui from the master branch onto a new vhost on the same machine and will update you on the results.
- 2013-04-30T14:46:26+00:00
Janos SUTO repo owner
Ehh, now I remember that this was fixed after releasing 0.1.23.

Please edit model/user/auth.php and replace the following (around the 71th line):

if(isset($query->row)) {

with this

if(isset($query->row['dn'])) {

and set ENABLE_LDAP_AUTH to 1.
- 2013-04-30T15:05:36+00:00
Steve Miller
Yeah, the webui from the master branch gives me the same result. Let me try and update the code per your instruction.
- 2013-04-30T15:16:33+00:00
Steve Miller
Negative, the result is the same. The AD synced user is set as Master Admin, but still logs in as a regular user.

As I can see, the auth does result in a complete login, however the ui still only allows me to log in as a regular user.

Apr 30 11:19:03 piler piler-webui[5791]: ldap auth against '*', dn: 'CN=Steve Miller,OU=,OU=,DC=,DC=**', result: 1
- 2013-04-30T15:24:40+00:00
Janos SUTO repo owner
Ahh, now I see. The drawback is that by authenticating from LDAP/AD the user is always a regular user. In this scenario admin and auditor users should be in the local database (user + email tables).

If you want to give an AD user admin or auditor rights, then you should continue using ldap_sync.php
- 2013-04-30T15:31:30+00:00

Steve Miller

Ok, am I correct to assume that ldap_sync.php and ENABLE_LDAP_AUTH are two separate systems?

Here is what I did:

Set ENABLE_LDAP_AUTH to 0
Delete user (me) that was set to Master admin
Run ldap_sync.php
Login as admin@local
Set synced AD user (me) to Master admin
Logout of admin@local
Login as AD user (me) using AD password - FAIL
Login as admin@local and set AD user password in administration > users
Login as AD user (me) using password that was set - PASS
Test Master admin functions using AD user, then log out
Set ENABLE_LDAP_AUTH to 1
Login as AD user (me) using password that was set - FAIL
Login as AD user using AD password - PASS - however, user is now logged in as Regular user

The reason that I need the passwords to sync as well (with ENABLE_LDAP_AUTH set to 0, as you said - this is the only way to have admin or auditor) is because we have a large legal department that needs to be set as Auditor, and they all seem to forget their passwords, especially when using their AD username.

2013-04-30T15:55:45+00:00

Steve Miller
Thought I would also let you know that we have a very large amount of user accounts in AD, most of them disabled. I changed model/user/import.php to ignore user accounts that are disabled, therefore reducing the amount of accounts retrieved.

model/user/import.php Line 35:
```
$filter="(&(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2))($mailAttr=*))";
```
I would like to set an option in either ldap_sync.php or ldap-import.cfg to use the original filter or this filter to have the sync ignore disabled users or not.

This is only tested to work in AD, not sure if this UserAccountControl is present in openldap.
- 2013-04-30T16:16:00+00:00
Janos SUTO repo owner
you are right. If you set ENABLE_LDAP_AUTH to 1, then the gui authenticates against directly to the ldap/ad server. The local database is only a fallback user db.

If you use ldap_sync.php, then your users will be in the local db, so no need to go to the AD server for authentication.

Btw. if all your users need auditor rights, then it may be easier to tweak the gui to give that right. If you have mixed users (ie. both regular and auditor) it's still possible to grant auditor rights to a set of users if we can somehow differentiate them based on a ldap attribute. Eg. if the auditors are in the same group (and only they are in that group).

It would be easier if we could keep them in AD only.
- 2013-04-30T19:21:54+00:00
Steve Miller
Alright, I understand now. What I will do moving forward is run ldap_sync.php without ENABLE_LDAP_AUTH and manually assign passwords for the users that need the Auditor privilege.

Everyone that needs the Auditor privilege is already in their own group, so I might be able to tweak out the gui to provide that privilege for those users. Or, I might even be able to create a separate security group for this ability. Now that I think of it, if we ENABLE_LDAP_AUTH, and are able to change the gui for Master admin and Auditor privileges based on the user's security groups, that would be perfect.

I would like to thank you for providing a great alternative to our existing archiving system. My CEO is extremely impressed with the ease of use and it's graphical simplicity, and the fact that I have been able to provide a system that performs as well as this. I will keep in touch and help out with this project as much as I can!
- 2013-04-30T21:43:33+00:00
Janos SUTO repo owner
OK, can we say that all your auditors are within a certain CN in the AD? If so then I'll add a variable to define it and model/user/auth.php will check for it, and grant auditor access.

However I bet you have not that may admins who need admin access to administer piler. So I recommend to keep your admins in the local database of piler. I'd say let's create admin1@local, jack@local, etc. as admin users.

What do you think?
- 2013-05-01T07:58:15+00:00
Steve Miller
Sorry for the delay in getting back to you. Janos. We had a major issue with our core switch in our datacenter that took me 15 hours to repair :( All is well now, though.

We do already have all the auditors in one security group in AD, and the only admin that needs access is myself. I would however like to allow the rest of our staff (about 750 people, all in AD) to search the archive for their own emails as well. So, using ENABLE_LDAP_AUTH works just fine for those users, and I can still use the local admin account in piler to do all the nice administration things. If adding in a variable to define those users in the security group that need auditor access can be done, with ENABLE_LDAP_AUTH on, everything would be perfect for us.
- 2013-05-02T12:59:57+00:00
Janos SUTO repo owner
I'm glad that the network is back again :-)

Please clarify what a "security group" means to you. Is it something like CN=AuditorUsers,DC=your,DC=company,DC=com?
- 2013-05-02T20:32:36+00:00
Steve Miller
"CN=AuditorUsers,DC=your,DC=company,DC=com" is a distinguished name, an attribute of an object in LDAP. So when I say "security group", I mean a group of users in an object, which yes, does have it's own common name.
- 2013-05-02T20:45:54+00:00
Janos SUTO repo owner
ok, I see (I hope), so to determine whether userA is an auditor or not, I shall query his memberOf attributes and check for a predefined value. If there's a match, then the gui will grant auditor right. Right?
- 2013-05-02T20:52:02+00:00
Steve Miller
Exactly :)
- 2013-05-02T20:53:01+00:00
Janos SUTO repo owner
ok, I'll add this feature soon, and let you know when it's committed.
- 2013-05-02T20:58:21+00:00
Janos SUTO repo owner
OK, it's committed. Please download the latest master branch (https://bitbucket.org/jsuto/piler/get/master.tar.gz), and try it. A few words about it at http://www.mailpiler.org/en/ldap-authentication.html

Let me know if it works for you.
- 2013-05-03T08:12:18+00:00

Steve Miller

Well, all the auditors have access now, however the regular users receive empty search results.

Here's the login result for a regular user (I removed the long parts of the domain information)

May  3 09:08:49 piler piler-webui[11265]: ldap query: base dn=' ... ', filter='(&(objectClass=user)(mail=smiller ... ))', attr='', 1 hits
May  3 09:08:49 piler piler-webui[11265]: ldap auth against 'DOMAINCONTROLLER', dn: 'CN=Steve Miller ...', result: 1
May  3 09:08:49 piler piler-webui[11265]: ldap query: base dn=' ... ', filter='(|(&(objectClass=user)(mail=smiller ... ))(&(objectClass=group)(mail=smiller ... ))(&(objectClass=group)(mail=CN=Steve Miller, ... )))', attr='', 1 hits

This is the query that's posted to syslog when a normal user (me) queries for their mail.

sphinx query: 'SELECT id FROM main1 WHERE       MATCH('@to sip:smillerX.Xcom| lookoutX.X.Xcom| postmasterX.Xcom| abuseX.Xcom| steveX.Xcom| smillerX.Xlocal| smillerX.Xcom') ORDER BY `sent` DESC LIMIT 0,1000 OPTION max_matches=1000' in 0.00 s, 0 hits

2013-05-03T13:13:59+00:00

Janos SUTO repo owner
Can you see anything if you execute the following query against sphinx?

$ mysql -h 127.0.0.1 -P 9306

mysql> SELECT id FROM main1 WHERE MATCH('@to lookoutX.X.Xcom| postmasterX.Xcom| abuseX.Xcom| steveX.Xcom| smillerX.Xlocal| smillerX.Xcom') ORDER BY sent DESC LIMIT 0,1000 OPTION max_matches=1000

Of course use the valid values for your domain.
- 2013-05-03T13:56:02+00:00
Janos SUTO repo owner
I think sip:smillerX.Xcom will be the problem. I've modified the latest master branch to discard such an address.

Please grab https://bitbucket.org/jsuto/piler/raw/697726205a63a7780e80d3748c95960b5db45b2e/webui/model/user/auth.php and replace model/user/auth.php and I'll think it will fix the issue.
- 2013-05-03T14:07:24+00:00
Steve Miller
Perfect, I can retrieve my mail as a regular user!

Adding in the auditor rights as a variable in the gui definitely helps out, I can now have the people in the right department audit emails to/from other users.
- 2013-05-03T14:15:43+00:00
Janos SUTO repo owner
- changed status to resolved
ok, then I set the issue status to resolved
- 2013-05-03T17:49:07+00:00
Log in to comment

Assignee: Janos SUTO

Type: bug

Priority: trivial

Status: resolved

Votes: 0

Watchers: 2