ID: 33500 User updated by: ed2019 at columbia dot edu Reported By: ed2019 at columbia dot edu Status: Bogus Bug Type: IMAP related Operating System: ALL PHP Version: 5.2.0 Assigned To: pajoye New Comment:
pajoye - You're the one with the power to declare whether it's a bug or not. Since we disagree on this point, either I don't know what a bug is (entirely possible) or myself & the others commenting on this situation via the bug reporter have done a poor job of explaining to you what the situation is. To answer the included questions: "It could be a feature request but I do not see either how to you can force c-client to use a given authentication method. I suppose you know right?" Yes, you can force c-client to use / not use a particular authentication method. Please see this series of e-mail messages: http://www.mail-archive.com/imap...@u.washington.edu/msg01962.html http://www.mail-archive.com/imap...@u.washington.edu/msg01963.html "now, about your proposal: 1) why don't you try?" I did discuss the issue with Crispin, please see this exchange of e-mail messages: http://mailman2.u.washington.edu/pipermail/imap-uw/2005-June/000101.html Notably his response: "I agree that c-client should try the other authentication method, but perhaps my definition of "should" is different. I don't mean "should" as in "should be fixed to"; I mean "should" as "it does already." I believe that the problem is in how PHP uses c-client. " More questions: "2) and 3) are the same and I don't see how it could be possible. No other clients using c-client allow that either" For an example of an IMAP client, which uses c-client, and yet can attach to IMAP servers which advertise multiple authentication mechanisms please see Alpine ( http://www.washington.edu/alpine/ ) Here is a psudeo-psudeo-code examples of how it could be possible. I'm not a strong c-coder so I leave the actual implementation to the reader: * Add another optional arugment to the end of imap_open(), for example: imap_open(existing,argument,...,[NEW_ARUGMENT]) where: NEW_ARGUMENT is one or more, comma separated, of the following: GSSAPI, PLAIN, CRAM_MD5, etc (all the auth methods which c-client supports). Then, before a connection is attempted, the mail_parameters thing is set (as appears in Crispin's e-mail from 4/4/2008): mail_parameters (NIL,DISABLE_AUTHENTICATOR,(void *) "GSSAPI"); Again, I'm not a c-coder nor familiar with the code of imap_open, but that's at least one way to go about it. Previous Comments: ------------------------------------------------------------------------ [2009-04-27 16:43:47] paj...@php.net There is no bug regarding this problem in php, like it or not. It could be a feature request but I do not see either how to you can force c-client to use a given authentication method. I suppose you know right? now, about your proposal: 1) why don't you try? 2) and 3) are the same and I don't see how it could be possible. No other clients using c-client allow that either ------------------------------------------------------------------------ [2009-04-27 16:09:36] ed2019 at columbia dot edu Hi again- In response to the reference to Joe's comment on the red hat bug list about how the c-client code stops retrying, my response is - so what? Many other applications built on top of c-client manage to authenticate via IMAP / PLAIN to these same servers. The key is that c-client already includes a mechanism for connecting to a server with multiple advertised methods - you can give it an argument and tell it which one to use. There are at least three ways to "fix" this bug: 1) Convince Mark Crispin (c-client's author) to modify c-client so that it tries all the advertised authentication methods. I.e. proclaim that it's not a PHP bug, that instead the library should be changed to work with imap_open's flaws. 2) Add an argument/flag/option to imap_open so that the programmer can specify the authentication method to try. I.e. Give the PHP developer access to more of the working functionality of the underlying library. 3) Modify PHP's imap_open() so that it will try multiple authentication methods. I understand that deciding that #1 is the "right answer" carries with it the additional benefit that no one needs to admit that this is a PHP bug. However, it's a bit ridiculous considering all of the other applications which depend on c-client and can handle authenticating to these servers. Please review like-minded comments from at least 5 other persons on this bug. I whole-heartedly encourage the maintainer to re-designate this as a real bug. ------------------------------------------------------------------------ [2009-04-27 15:54:06] ed2019 at columbia dot edu Hi- I was the original submitter of this bug four years ago, but I felt I should write to clear up a little confusion which has popped up from pajoye at php.net . Mark Crispin's c-client (which is the library underlying PHP's IMAP stuff) can authenticate to IMAP servers using various methods, including but not limited to PLAIN and GSSAPI. You can specify when calling the c-client library which authentication method to use. When you're going to authenticate with kerberos/GSSAPI, you would provide a certain set of client credentials. When you want to authenticate with PLAIN, you provide a different set of credentials (namely, username and password). The problem with PHP's imap_open() is that it does not allow you to specify which of these authentication methods to use, nor does it guess correctly from the credentials you provide it. The setup, as I encountered it, is/was: 1) Your code wants to authenticate to an IMAP server with a username & password. These credentials are appropriate for PLAIN authentication. 2) You call imap_open() and pass it the username & password. 3) imap_open() (through c-client) contacts the server attempts to authenticate via GSSAPI, which fails. imap_open() then gives up. So, the bug in this case is that imap_open needs an argument of some sort which tells it NOT to try using GSSAPI, and instead to try using PLAIN authentication. Perhaps something like [authmethod ={PLAIN || GSSAPI || ...}] , which would then be passed through to the c-client implementation. Make no mistake about it, there is no way around this bug with PHP's broken imap_open(). If you have an imap server which advertises both authentication methods, there is no way to authenticate to that server with the PLAIN method - even though the server is configured correctly, and the underlying c-client IMAP library supports it. imap_open() is not tickling the c-client library correctly to get the proper result. ------------------------------------------------------------------------ [2009-04-27 15:17:18] paj...@php.net Bug or feature in c-client. As Joe already explained in the RH bug report, the first thing auth_gssapi_client does is to disable any retry: auth_gss.c:98 (2007e) *trial = 65535; /* never retry */ Please get an explanation in the UW mailing list but there is nothing PHP can do about that. ------------------------------------------------------------------------ [2009-04-27 15:03:49] paj...@php.net The authentication method is compiled in cclient. Are you sure your cclient package supports kerberos or GSS? For windows, I'm verifying that it works with 5.3.0 (we use the latest c-client for 5.3+). ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/33500 -- Edit this bug report at http://bugs.php.net/?id=33500&edit=1
