View Issue Details

IDProjectCategoryView StatusLast Update
0002867SOGoBackend Generalpublic2016-09-27 23:59
ReporterGunnar Weissmann Assigned Tofrancis  
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Platform[Server] LinuxOSDebianOS Version7 (Wheezy)
Product Version2.2.6 
Fixed in Version3.2.0 
Summary0002867: ACL caching with LDAP Groups
Description

We tested ACLs with users and everything worked as expected; all user rights are set immediately.

But when we do this with LDAP Groups the (e.g. removed) ACLs are not immediately active. That means, removed rights to edit events are still active for a while. When we restarted the memcached the rights are immediately active.

We think the problem is, that the memcached caches incorrectly the ACLs of LDAP groups.

The database entry for the ACLs (@GROUPNAME) is added/removed correctly.

We expect, that no ACLs from LDAP-groups are cached with memcached.

Thanks for your support.

Gunnar Weissmann

Additional Information

Reverse Proxy: nginx 1.6
Client: Webinterface (Firefox 30.0/OS X 10.9.4)

TagsNo tags attached.

Activities

Gunnar Weissmann

Gunnar Weissmann

2015-04-08 12:11

reporter   ~0008399

We have a seconds issue:

When we disabled the Login in the LDAP it was still able to login until we restarted the memcached client.

We expect that also ldap rights are not cached.

Are there any plans to review this issue?

Thank you.

ludovic

ludovic

2015-04-08 12:38

administrator   ~0008400

Not really since this would mean SOGo would have to check the LDAP server (for groups or removed logins) every time, rendering useless the whole purpose of the cache.

Just lower SOGoCacheCleanupInterval if you want.

ThomasRZ

ThomasRZ

2016-03-22 18:16

reporter   ~0009805

We are having similar problems:

  • user rights are set immediately

This means the moment I want to subscribe to a users resource, SOGo looks up if I have the required rights?

  • group rights are set after restarting memcached

Isn't a similar process like above possible here?
All acl's of every resource of the explicit user I want to subscribe to is looked through (groups are decomposed) to check if I have the required rights?

Related Changesets

sogo: master 44aa1352

2016-09-26 16:22

francis


Details Diff
Caching expiration of ACLs assigned to LDAP groups

Fixes 0002867
Affected Issues
0002867
mod - NEWS Diff File
mod - SoObjects/SOGo/SOGoGCSFolder.m Diff File

sogo: v2 5ada0024

2016-09-26 16:22

francis


Details Diff
Caching expiration of ACLs assigned to LDAP groups

Fixes 0002867
Affected Issues
0002867
mod - NEWS Diff File
mod - SoObjects/SOGo/SOGoGCSFolder.m Diff File

Issue History

Date Modified Username Field Change
2014-07-22 10:14 Gunnar Weissmann New Issue
2015-04-08 12:11 Gunnar Weissmann Note Added: 0008399
2015-04-08 12:38 ludovic Note Added: 0008400
2016-03-22 18:16 ThomasRZ Note Added: 0009805
2016-09-26 21:22 francis Changeset attached => sogo master 44aa1352
2016-09-26 21:22 francis Assigned To => francis
2016-09-26 21:22 francis Resolution open => fixed
2016-09-26 21:27 francis Changeset attached => sogo v2 5ada0024
2016-09-27 23:59 ludovic Status new => resolved
2016-09-27 23:59 ludovic Fixed in Version => 3.2.0