Roundcube address book login failed after upgrade to 17.0.3

danjde · February 18, 2020, 10:21am

Nextcloud version 17.0.3
Operating system and version Debian 9
Apache or nginx version Apache 2.4.25)
PHP version 7.3

The issue you are facing:
loggin to Roundcube webmail, I aspect to find my address book, imported from NC, as usual.
Instead, the address book result empty.

Is this the first time you’ve seen this error?:
Only after upgrade, before all was fine

Steps to replicate it:

Login to webmail Roundcube
Go to Address Book
I note that the address book is empty

The output of your Nextcloud log in Admin > Logging:

{"reqId":"XkuxoX8AAQEAAHU347YAAAAK","level":2,"time":"2020-02-18T09:43:22+00:00","remoteAddr":"1.234.567.89","user":"--","app":"core","method":"PROPFIND","url":"/cloud/remote.php/dav/addressbooks/users/user@example.org/contacts/","message":"Login failed: 'user@example.org' (Remote IP: '2.345.678.90')","userAgent":"RCM CardDAV plugin/3.0.3","version":"17.0.3.1","id":"5e4bb1bc2d675"}

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => '123455678',
  'passwordsalt' => '123456789012345678901234567890',
  'secret' => 'HGODFR/1235128238359000444394848458+',
  'trusted_domains' =>
  array (
    0 => 'server.example.org',
    1 => 'example.org',
    2 => 'www.example.org',
  ),
  'datadirectory' => '/var/www/nextcloud/public_html/data',
  'dbtype' => 'mysql',
  'version' => '17.0.3.1',
  'overwrite.cli.url' => 'https://server.example.org/cloud',
  'dbname' => 'next_example',
  'dbhost' => 'localhost',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'ncexample',
  'dbpassword' => '12345678901234456678990',
  'installed' => true,
  'maintenance' => false,
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'mail_from_address' => 'example',
  'mail_smtpmode' => 'sendmail',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'example.org',
  'mail_smtpauthtype' => 'LOGIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => 'smtp.example.org',
  'mail_smtpsecure' => 'tls',
  'mail_smtpport' => '587',
  'mail_smtpname' => 'example@example.org',
  'mail_smtppassword' => '12345678910',
  'twofactor_enforced' => 'false',
  'twofactor_enforced_groups' =>
  array (
    0 => 'admin',
  ),
  'twofactor_enforced_excluded_groups' =>
  array (
  ),
  'theme' => '',
  'loglevel' => 2,
  'updater.release.channel' => 'stable',
  'updater.secret' => '123456789001234566789012334556678900.',
  'app_install_overwrite' =>
  array (
    0 => 'deck',
  ),
);

The output of your Apache log:

[Tue Feb 18 09:55:14.209603 2020] [authz_core:error] [pid 29902] [client mylocalIP:57519] AH01630: client denied by server configuration: /var/www/nextcloud/public_html/data/.ocdata
[Tue Feb 18 10:40:49.663007 2020] [authz_core:error] [pid 30007] [client mylocalIP:57519] AH01630: client denied by server configuration: /var/www/nextcloud/public_html/data/.ocdata
[Tue Feb 18 10:41:33.483029 2020] [authz_core:error] [pid 30414] [client mylocalIP:57536] AH01630: client denied by server configuration: /var/www/nextcloud/public_html/data/.ocdata

Hi Friends,
I’ve installed the Michael Stilkerich Roundcube Address-Book plugin, all was fine before upgrading NC and PHP from 7.0 to 7.3.

Now obtain an authentication error to DAV address book, as highlighted above in the logs.

On the same NC instance there are also shared files and notes managed by the specific app, with no login issue, so one possibility is that the problem is related to the generation of the username from the plugin configuration or by admin two factory authentication (disabled now), but I’m not sure at all, here the plugin config:

// When enabled, this option hides the 'CardDAV' section inside Preferences.
$prefs['_GLOBAL']['hide_preferences'] = false;

// Scheme for storing the CardDAV passwords, in order from least to best security.
// Options:
// plain: store as plaintext
// base64: store encoded with base64 (default)
// des_key: store encrypted with global des_key of roundcube
// encrypted: store encrypted with IMAP password of the user
//            NOTE: if the IMAP password of the user changes, the stored
//             CardDAV passwords cannot be decrypted anymore and the user
//             needs to reenter them.
$prefs['_GLOBAL']['pwstore_scheme'] = 'encrypted';

// Allow suppression of the warning that PHP is too old.
//
// If true, the PHP version is not checked. Use at own risk.
// If false, the PHP version is checked and RCMCardDAV will not run if it is
// too old.
$prefs['_GLOBAL']['suppress_version_warning'] = false;

// Enable a workaround for broken sync-collection support in the
// server. RFC 6578 specifies the "sync-collection" method for
// synchronizing collections of things over WebDAV. It is more
// efficient -- but also more complicated -- than simply retrieving
// the whole collection again as necessary. As a result, some server
// implementations are buggy. Specifically DAViCal and Radicale are
// known to have problems. If changes (updates, deletions) from one
// connection do not sync to another, you can try enabling this
// workaround to revert to the inefficient-but-simple method.
$prefs['_GLOBAL']['sync_collection_workaround'] = false;

//// Preset 1: Personal
$prefs['Cloud'] = array(
        // required attributes
        'name'         =>  'Cloud',
        // will be substituted for the roundcube username
        'username'     =>  '%u',
        // will be substituted for the roundcube password
        'password'     =>  '%p',
        // %u will be substituted for the CardDAV username
        'url'          =>  'https://www.example.org:443/cloud/remote.php/dav/addressbooks/users/%u/contacts/',

        'active'       =>  true,
        'readonly'     =>  false,
        'refresh_time' => '02:00:00',

        'fixed'        =>  array( 'username' ),
        'hide'        =>  false,
);

Thanks for your help!!

Davide

JimmyKater · February 18, 2020, 10:30am

whats the output of your roundcube.log?

sometimes interpreters could be a bit tricky… and so https and example.org:443 would mark a logical tautology… why not trying it without the port?

plus a random thought: if you’re using a 3rdparty app and it breaks due to new config i would ask devs of 3rdparty app to adjust their app, at first

danjde · February 18, 2020, 10:36am

tail -f /var/log/roundcube/carddav
[09-May-2019 17:17:45 +0200]: <tsa863m8> In migration: 0001-categories
[09-May-2019 17:17:45 +0200]: <tsa863m8> Found 1 matches
[09-May-2019 17:17:46 +0200]: <tsa863m8> In migration: 0002-increasetextfieldlengths
[09-May-2019 17:17:46 +0200]: <tsa863m8> Found 2 matches
[09-May-2019 17:17:46 +0200]: <tsa863m8> In migration: 0003-fixtimestampdefaultvalue
[09-May-2019 17:17:46 +0200]: <tsa863m8> Found 1 matches
[09-May-2019 17:17:46 +0200]: <tsa863m8> In migration: 0004-fixtimestampdefaultvalue
[09-May-2019 17:17:46 +0200]: <tsa863m8> Found 1 matches
[09-May-2019 17:17:46 +0200]: <tsa863m8> In migration: 0005-changemysqlut8toutf8mb4
[09-May-2019 17:17:46 +0200]: <tsa863m8> Found 47 matches
[17-Feb-2020 15:50:44 +0100]: <ikp7l2p8> DISCOVERY: (retrieve_addressbooks) SEARCHING https://www.example.org:443/cloud/remote.php/dav/addressbooks/users/%u/contacts/ (Depth: 0)
[17-Feb-2020 15:50:44 +0100]: <ikp7l2p8> DISCOVERY: (cdfopen) retrieve_addressbooks requesting https://www.example.org:443/cloud/remote.php/dav/addressbooks/users/myuser@example.org/contacts/ as user myuser@example.org [RL 5]
[17-Feb-2020 15:50:44 +0100]: <ikp7l2p8> BACKEND: (update_addressbook) UPDATE addressbook
[17-Feb-2020 15:51:09 +0100]: <ikp7l2p8> DISCOVERY: (cdfopen) Code: 401
[17-Feb-2020 15:51:09 +0100]: <ikp7l2p8> DISCOVERY: (cdfopen) success: array (
  'status' => 401,
  'headers' =>
  Httpful\Response\Headers::__set_state(array(
     'headers' =>
    array (
      'date' => 'Mon, 17 Feb 2020 14:50:44 GMT',
      'server' => 'Apache/2.4.25 (Debian)',
      'strict-transport-security' => 'max-age=15552000; includeSubDomains',
      'set-cookie' => 'nc_sameSiteCookiestrict=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict',
      'expires' => 'Thu, 19 Nov 1981 08:52:00 GMT',
      'cache-control' => 'no-store, no-cache, must-revalidate',
      'pragma' => 'no-cache',
      'content-security-policy' => 'default-src \'none\';',
      'x-frame-options' => 'SAMEORIGIN',
      'x-content-type-options' => 'nosniff',
      'x-xss-protection' => '1; mode=block',
      'x-robots-tag' => 'none',
      'x-download-options' => 'noopen',
      'x-permitted-cross-domain-policies' => 'none',
      'referrer-policy' => 'no-referrer',
      'content-length' => '299',
      'content-type' => 'application/xml; charset=utf-8',
    ),
  )),
  'body' => '<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
<s:exception>OCA\\DAV\\Connector\\Sabre\\Exception\\PasswordLoginForbidden</s:exception>
  <s:message/>
  <o:hint xmlns:o="o:">password login forbidden</o:hint>
</d:error>
',
)
[17-Feb-2020 15:51:09 +0100]: <ikp7l2p8> DISCOVERY: (retrieve_addressbooks) Searching additional URL: https://www.example.org:443/cloud/remote.php/dav/addressbooks/users/%u/contacts/
[17-Feb-2020 15:51:09 +0100]: <ikp7l2p8> DISCOVERY: (retrieve_addressbooks) SEARCHING https://www.example.org:443/cloud/remote.php/dav/addressbooks/users/%u/contacts/ (Depth: 1)
[17-Feb-2020 15:51:09 +0100]: <ikp7l2p8> DISCOVERY: (cdfopen) retrieve_addressbooks requesting https://www.example.org:443/cloud/remote.php/dav/addressbooks/users/myuser@example.org/contacts/ as user myuser@example.org [RL 5]
[17-Feb-2020 15:51:09 +0100]: <ikp7l2p8> BACKEND: (update_addressbook) UPDATE addressbook
[17-Feb-2020 15:51:34 +0100]: <ikp7l2p8> DISCOVERY: (cdfopen) Code: 401
[17-Feb-2020 15:51:34 +0100]: <ikp7l2p8> DISCOVERY: (cdfopen) success: array (
  'status' => 401,
  'headers' =>
  Httpful\Response\Headers::__set_state(array(
     'headers' =>
    array (
      'date' => 'Mon, 17 Feb 2020 14:51:09 GMT',
      'server' => 'Apache/2.4.25 (Debian)',
      'strict-transport-security' => 'max-age=15552000; includeSubDomains',
      'set-cookie' => 'nc_sameSiteCookiestrict=true; path=/cloud; httponly;secure; expires=Fri, 31-Dec-2100 23:59:59 GMT; SameSite=strict',
      'expires' => 'Thu, 19 Nov 1981 08:52:00 GMT',
      'cache-control' => 'no-store, no-cache, must-revalidate',
      'pragma' => 'no-cache',
      'content-security-policy' => 'default-src \'none\';',
      'x-frame-options' => 'SAMEORIGIN',
      'x-content-type-options' => 'nosniff',
      'x-xss-protection' => '1; mode=block',
      'x-robots-tag' => 'none',
      'x-download-options' => 'noopen',
      'x-permitted-cross-domain-policies' => 'none',
      'referrer-policy' => 'no-referrer',
      'content-length' => '299',
      'content-type' => 'application/xml; charset=utf-8',
    ),
  )),
  'body' => '<?xml version="1.0" encoding="utf-8"?>
<d:error xmlns:d="DAV:" xmlns:s="http://sabredav.org/ns" xmlns:o="http://owncloud.org/ns">
<s:exception>OCA\\DAV\\Connector\\Sabre\\Exception\\PasswordLoginForbidden</s:exception>
  <s:message/>
  <o:hint xmlns:o="o:">password login forbidden</o:hint>
</d:error>
',
)
[17-Feb-2020 15:51:34 +0100]: <ikp7l2p8> DISCOVERY: (retrieve_addressbooks) no principal URL found
[17-Feb-2020 15:51:34 +0100]: <ikp7l2p8> DISCOVERY: (retrieve_addressbooks) no principal URL found

danjde · February 18, 2020, 10:39am

Sure, I’ve done!
I’ve write to the plugin developer and according to him this is an NC problem, but for now we don’t know for sure …

Thanks!!

Davide

JimmyKater · February 18, 2020, 10:40am

well a 401-error on the roundcube.log hints into a client problem… afaik.

but ok, we’ll see about it.

danjde · February 18, 2020, 10:44am

on /var/log/roundcube/errors:

[18-Feb-2020 11:41:37 Europe/Berlin] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in /usr/share/roundcube/program/lib/Roundcube/rcube_plugin_api.php on line 438
[18-Feb-2020 11:41:37 Europe/Berlin] PHP Deprecated:  Function create_function() is deprecated in /usr/share/roundcube/program/include/rcmail_output_html.php on line 978

Thanks!

Davide

danjde · February 18, 2020, 10:45am

Try, no changes

thank you again!

Davide

JimmyKater · February 18, 2020, 10:48am

awww. i didn’t see that… just saw an 401-error-code somewhere.
seems as if this could be the solution. located in roundcube. dev of addressbook-app should have been aware of it

danjde · February 18, 2020, 10:56am

I’ve just contacted dev (Michael Stilkerich) and informed by your considerations as well as this specific support request!

Thanks!

Davide

danjde · February 18, 2020, 11:36am

I’ve open the same support request on Roundcube comunity forum.

Thanks again

Davide

danjde · February 18, 2020, 2:28pm

I’ve found that if I try to login from web interface to NC, with username (no @ltd) and password it is possible, but if I try to login with email eg username@ltd and password, the login fail!

I think that the plugin try to login with entire email address eg “username@ltd”.

Could be this one the issue?
And eventually how enable this feature?

On window login NC says that is possible login by username or by email as picture shown, but in my situation this is not possible.

Schermata%20da%202020-02-18%2015-21-31

Thanks again!

JimmyKater · February 18, 2020, 2:39pm

i really appreciate your endurance here… but i must admit that i can’t help you on that questions

danjde · February 18, 2020, 2:41pm

Thanks anyway

danjde · February 18, 2020, 8:22pm

I’ve found the issue, perhaps…

On Roundcube preferences, there is the option CardDAV,
so I’ve filled in the various fields.

The first time using the entire email address, obtain the same error that you have seen.
The second time, using only the username, without @domain.tld the connection was successful, populating the address book!

So the question now should be:

Why on the previous NC version (15.0.2) the whole email address was allowed and instead from version 15.0.14 this is no longer possible?
Or eventually can the previous mode (entire email address) be reactivated?

Thanks again!

Davide

danjde · February 19, 2020, 11:39am

The problem has been understood and resolved.

The previous Nextcloud version (15.0.4) allowed DAV connection using “email user” as well as “username”,
the new one (17.x.x) no, only “username”, I don’t know why…
This obviously created the authentication failure, since the plugin was configured to use the entire email.

Log:

<s:exception>OCA\\DAV\\Connector\\Sabre\\Exception\\PasswordLoginForbidden</s:exception>  <s:message/>

The solution was to change how the plugin communicates the connection string and username, substituting on the general configuration “&u” with “&l”

here:

        // will be substituted for the roundcube username
        'username'     =>  '%l',

and there:

        // %u will be substituted for the CardDAV username        
'url'          =>  'https://server.example.org:443/cloud/remote.php/dav/addressbooks/users/%l/contacts/',

Ultimately, all is well that ends well and the last one closes the door!