One of our users just found an interesting issue. They can log into the WebApp with any password. Put in any valid username and ‘jdhfjkasdhkjfhasdk’ (or whatever you want) into the password field, and it will log you into that user’s mailbox. I just updated to the latest stable version of the server and webapp, in case it was a previous bug, and the issue is still there. I’m not sure when it was introduced, as this server is used almost exclusively with ActiveSync.
This is what I saw in the server.log:
LDAP (simple) bind on uid=burgessja,dc=domain,dc=com failed: Invalid credentials Sun Dec 2 14:54:33 2018: [warning] Authentication by plugin failed for user "burgessja": Trying to authenticate failed: Failure connecting any of the LDAP servers; username = burgessja
So far, I have tested logging in with z-push/ActiveSync, and those do require valid passwords. phpLdapAdmin and openLDAP also require valid passwords, so it doesn’t seem to be an issue with the back end.
I have another Kopano server running, but it is using FreeIPA as the backend, and does not seem to have this issue. I’m not sure where to start with this problem, as I thought the kopano-server process handled LDAP authentication, and the WebApp used it for verification.